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capture module on a mobile personal wireless communication device (e.g.. a wireless telephone) and a central authentication system coupled 
to a conventional mobile switching center. The central authentication system contains information that associates each mobile identification 
number ("MIN") with a particular user's fingerprint. When a wireless communication is to be initiated, the central authentication system 
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METHOD OK USING FINrwF.RPRINTS TO AUTHENTICATE WTRFJ.R^ 5; 

COMMUNICATIONS 

5 

Cross Reference to Related Anplicntions 

This appiicaijon ciaiins piioriiy from (i) US Provisional Palcnt Application No. 
60/025,947 nicd September 1 I, 1996. entitled METHOD OF USING FINGERPRINTS 
TO ELIMINATE WIRELESS PHONE FRAUD AND TO ASCERTAIN A CALLER'S 
10 IDENTITY' and naming Y. Li, D, R. K. Rao, and S. Subbiah as inventors, and (2) US 
Provisional Patent Application No. 60/025,949, filed September II, 1996, entitled 
EMBEDDABLE MODULE FOR FINGERPRINT CAPTURE AND MATCHING, and 
naming R. Rao, S. Subbiah. Y. Li, and D. Chu as inventors. Both of these applications 
arc incorporated iiercin by reference in liieir entireties and for ail purposes. 

15 

Background of the Invention 

The present invention relates to security measures for wireless telephones or cellular 
mobile phones. More particularly, the invention relates to authentication methods 
employing biomctric infonnation (e.g., fingerprints) to guarantee non-fraudulent use of 
20 wireless telephones or cellular mobile phones. 

As known in the state of the art, wireless telephones or cellular mobile phones are 
identified by mobile identification numbers (MINs) and electronic serial numbers (ESNs). 
Current protocols for wireless communication, either placing or receiving a call, require 
both the MIN and the ESN to be broadcast through a standard common air interface (CAI) 

25 between the wireless telephone and a mobile switching center (MSC) for authorization and 
billing purposes- However, such information can be easily intercepted and obtained via 
specialized scanning equipment that is readily available. MINs and ESNs captured this 
way can be illegally programmed into other cellular phones for the purpose of placing calls 
that will be billed to the person that the MEN and ESN has been legitimately assigned to. 

30 This type of theft has become a common practice world-wide, and millions of dollars are 
lost to the wireless service providers and law enforcement agencies (US $650 million in 
1995). 

Various methods have been proposed to solve this problem. One method 
(described in U.S. Pat. No. 5,448,760) proposes the idea of requesting a personal 
35 identification number (PIN) each time a call is placed. The PIN can be safely transmitted 
through a different channel. However, ihis inconveniences the u.ser and many users even 



I 



wo 98/11750 



PCT/US97/16094 



forget ilicir PINs. Another method (described in U.S. Pat. No. 5,420,908) proposes 
monitoring each customer s habit or calling pattern (also known as user profiles) and 
blocking any calls that do not fit the customer's previous calling pattern. However, such a 
method suffers from two problems: (I) the calling pattern of a customer is difficult to 
5 accurately pin point (any time liic calling pattern changes a legitimate call might be blocked) 
and (2) it will noi successfully block calls from phones that continually change the MIN- 
ESN pair that they employ. 

In another method (described in U.S. Pat. No. 5,420,908 issued to Hodges and 
Rubcnstcin and incorporated herein by reference), a "challenge response" authentication 
10 scheme is proposed to solve fraudulent use in wireless communication. The proposed 
method includes a central authentication system serving several MSCs which store all 
MINs with associated .secret keys that are used to generate the "challenge response" 
authentication. I laving one ccnual auihcntication system for several MSCs eliminates the 
need for cross-sysicm access bciwccn diffcrcnl MSCs. I Jowcvcr, for security reasons - 
15 eg, power failure, computer hacker attacks, natural disasters -- there should be at least one 
additional remote site liiai maintains a mirror copy of the central authentication system. 
Ideally backup communication between central authentication system and its mirror(s) 
allow both hot and cold backups to dynamically maintain identical copies at all limes. All 
MSCs communicate with the central authentication platform through a standard phone line. 
20 Tliis method also requires each wireless phone lo have a device which contains special 
information to generate a correct response lo a specific "challenge". Each time that a user 
uses a cellular phone, the MIN and ESN are sent to the MSC just as in the standard 
protocol used ni wireless communication today. Tlien ihc MSC sends the information 
through a secure public switched leiephonc network (PSTN) line to the central 
25 authentication plaliorm. The central system then takes the secret key which is associated 
with the MIN and generates a challenge vyhich is sent to the cellular phone through a 
different wireless forward channel. The cellular phone then uses its special iiitcrnai module 
to generate a response to the challenge which is then sent back to the MSC by wireless 
means and then forwarded to the central system via standard PSTN lines. The central 
30 system then compares the cellular phone's response to the pre-calculalcd response value it 
expects. If the response is correct the use is authorized. 

Such a system has certain advantages and should improve security in wireless 
communication. Although no specific type of secret key was disclosed in the *908 patent, 
the specified secret keys - including a string of special integers - suffer major drawbacks. 
35 First, computer systems arc always subject to intruders/hackers. For example, just recently 
there was the much celebrated case of Tsulomu Shimomura the network security expert and 
his attacker Kevin Mitnick the outlaw computer hacker (In Takedown by John Markoff and 
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T. Sliimomura, Hyperion Press: USA 1995). In the case of a break-in or even a suspicion 
of a break-in. all stored secret keys arc rendered useless and all the keys need to be 
updated. This necessarily means that all the users have to visit their service provider in 
person and update their secret key. Second, if only one or a few keys arc stolen at any 

5 given time, the system would not be able to detect the theft until ihc end of each billing 
cycle (if even then). Third, the "challenge" is MIN-specific, the thieves who capture the 
MIN and ESN through the air inlcrfacc can also capture the "challenge" and its "response" 
and attempt to crack the secret key. While some encryption methods like RSA can be made 
very secure now, the powerful computers that can be expected to become widely available 

10 in the future may allow secret keys to be cracked with the knowledge of multiple challenges 
and their responses. Still further, with the global computer connectivity, Internet viruses 
have become a major issue and almost every week there is a new virus that is released, 
particularly from less developed countries. If the central authentication system gels infected 
and the files tampered with, as before, all users have to return to their service provider to 

15 have a new secret key reissued. All these lour scenarios are quite likely to happen in pur 
age of high-tech criminals and even-higher tech teenage pranksters. 

What is needed therefore, is an improved security system to protect against 
unauthorized use of wireless communications. The method and associated system should 
provide improved security and be easy lo maintain. 

20 

Snmmnrv of the Fnvcntion 

The current invention expands on the principles and protocols discussed above. 
The relevant extension involves using a token generated from biomciric information, the 
user's personal fingeiprint in particular, as the secret key .in the context of a modified 
25 "challenge-response" scenario. As will be explained, this virtually eliminates all of the 
drawbacks discussed above. Most generally; the invention involves the use of fingerprint 
matching to authenticate a call or other communication over a wireless communication 
network. Tlic matching may be employed at a cenu-al location on tlie network, at the 
personal wireless device, or both. 

30 One aspect of the invention provides methods of authenticating calls to be made 

over a communication system. Typically, both a wireless source (e.g., a mobile telephone) 
and a central authentication node that may service numerous nodes paiticipate in the 
methods " although each operates according to its own protocol. 



3 
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An authciuicaiion mclhod implcmcnicd on ihc ccniral authentication node may be 
characterized by the following iicquence: (a) deieiTnining that the call lias been initiated from 
a source; (b) dclcmiining whether source fingerprint data provided from the source matches 
stored fingerprint data associated with the source; and (c) if the source fingerprint data 
5 matches the stored fingerprint data, allowing the call to be completed. Matching may 
involve separate iiialciVnig .sicp?t at boil* ilic souvcc uiiu ii'iC cciUrai aiuiicniicaiion nocic. ii 
may also involve decrypting a challenge. In addition to the above basic steps, the 
auUientication node may request that the source fingerprint data be provided from the 
source of the cail. In the case of a mobile telephone system, tlic call initialed from the 

10 source may be forwarded through any of a plurality of mobile switching centers to reach 
the central authentication node. That is, the ccniral aulhcntication node may serve multiple 
switcliing centers. In a prefcired embodiment, the ccniral authentication node accesses the 
stored fingerprint data from a database that associates particular users' accounts with their 
fingerprints. The fingerprint data (from the source or stored database) may be embedded in 

15 a token having a format making it difficult to extract the fingerprint data, hi one 
embodiment, that token fonnat may be an inter-minutiae distance-vecior-derived format 
such as one of the formats commojily employed in the art. 

In one specific embodiment, the mclhod also involves (a) encrypting a challenge 
with the stored fingerprint data to produce an encrypted challenge; and (b) providing the 

20 encrypted challenge lo the source for the purpose of decrypting by the source with the 
source fingerprint data. The step of determining whether the source and stored fingerprint 
data match preferably involves (i) receiving a dccr>'pled challenge from the source, which 
decrypted challenge had been decrypted with the source fingerprint data: and (ii) comparing 
the challenge with ihe decrypted ciiallcnge from the source. If the two match, then it is 

25 assumed lhat the stored and source fingerprints also match and the call is allowed to 
proceed. 

In a particularly preferred embodiment, the mclhod involves a further security 
feature to avoid use of a stolen fingerprint token. This technique operates on the 
assumption that each lime an individual gives a fingerprint, the print is slightly different due 

30 to the fiexibility of the finger skin, the angle at which the finger is pressed down, etc. 
Thus, it is exceedingly rare lhat any two finger imprints from a given user will be identical. 
Recognizing this, the method may require the following: (a) determining whether the 
source fingerprint data is identical Lo one or more instances of sample fingerprint data 
previously received; and (b) if the source and any one of the instances of the sample 

35 fingerprint data are identical, preventing the call from being completed. 
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Aulhciuicaiion mctliods iinplcmcntcd on a source iiuch as a wireless telephone (as 
opposed to ihc cciilrai auilienticaiion center as described above) may be characterized as 
including the following steps: (a) transmitting a dialed number to a switching center on tlic 
communication network; (b) receiving a user's fingerprint (possibly after a prompt); (c) 
5 generaung source fingerprint data from ilic user's fingerprint; and (d) if tiie source 
fingerprint data matches stored fingciprint data associated with uscr» completing ihc call. 
The source may itscll determine wlicihcr the source fingerprint data matches the stored 
Hngcrprint data prior to completing the call. In the case of a wireless telephone, the method 
may also include traditional calling steps such as transmitting at least one of an MIN and an 
10 ESN to the switching center. 

hi conjunction with the encryption technique described above for iho cenual 
authentication node, the source may perform the following steps: (i) receiving an encrypted 
challenge fmm the switching center: (ii) decrypting the encrypted challenge with the source 
fingerprint data to produce a decrypted cliailcngc; and (iii) transmitting ihc decrypted 
15 challenge to ihc switching center, such that if the decrypted challenge is found to malcii an 
unenciypted challenge, specifying that the source fingerprnu data matches the stored 
fingeiprint data (allowing the call to proceed). 

A personal wireless communication device (e.g., a wireless telephone) suitable for 
use with the authentication methods of this invention may be characterized as including the 

20 following features: (a) a wireless communications interface for sending and receiving 
wireless communications; (b) a device for capturing the user's fingerprint: and (c) a 
processing device (e.g., a CPU) capable of converting the user's fingerprint to source 
fingeiprint data which can be transmitted. Preferably, the wireless device includes a casing 
and provided widiin that casing arc both the device for capturing the user s fingcipruu and 

25 the processing device. 

The wireless coinmunicalions interface should be capable of sending the source 
fingerprint data to a remote location. Preferably, it should be capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency from a 
communications channel which sends and receives the wireless communications. 

30 In one embodiment, the device for capturing the user's fingerprint includes: (i) a 

fingerprint capture surface on which the user can place his or her finger to produce an 
optical image of his or her fingerprint; (ii) an imager capable of generating an electronic 
image of the user's fingerprint (e.g., a CCD array or CMOS phoiodiode/photogate array) ; 
and (iii) optics for directing the optical image of the user's fingerprint from the finger print 

35 capture surface to the imager. In a preferred embodiment, the imager is a CMOS 
photodiode/photogate array which is provided on an integrated circuit together with the 
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processing device. \n an akcrnativc embodiment ihc device for capturing the user's 
fingerprint includes an imager which docs not require optics. Examples of such **optics- 
frce" imagers include capacitor arrays or ultrasonic mechanisms formed on semiconductor 
substrates. 

5 The processing device should contain the logic and resources necessary for 

comparing ilie source lingerprint data with stored fingerprint data received from a remote 
location. Preferably, tlic processmg device should also be capable of decrypting a 
challenge received from the remote location. 

As noted, the biomciric "challenge-response" autiicntication scheme of this 
10 invention preferably employs a central auiheniicaiion platform serving several or all MSCs 
and wireless phones. In this manner, the current invention seeks to prevent fraudulently 
placed wireless calls using stolen MIN-ESN information. 

Another aspect of the invention provides a central authentication system or node 
connected to a communications network and capable of rendering wireless communications 

15 secure by processing biometric information from a user. Such central authentication 
systems may be characterized as including (a) a communications interface for sending and 
receiving data communications over the communications network; (b) a database interface 
for accessing a database containing stored fingerprint data associated with users of wireless 
communicaiions devices; and (c) a processor capable of determining whether a v/ireless 

20 communication from a wireless communicaiions device should be permuted based upon a 
match between a fingerprint taken from tlic wireless communications device and stored 
fingerprint data associated the wnelcss communications device. 

Often the communicaiions interface will be coupled lo a public swiiciied telephone 
network such that the data communications arc directed to one or more mobile switching 

25 centers on the network. The database - which may fonn part of the central authentication 
system — preferably includes, for at least some of the wireless communications devices, a 
plurality of received tokens containing information from fingerprints taken at the wireless 
communications devices. The system then compares newly received tokens from a given 
wireless communication device with the plurality of tokens for ihat wireless 

30 communications device. 

These and other features and advantages of the present invention will be further 
described below witii reference lo the a.ssociated drawings. 
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Uricf ncscrintion of the Dmwtnifs 

Figure I is a block diagram of various components of ihc present invention as it may be 
employed in a cellular phone system. 

Figure 2 is a representation of a MIN-challcngc key database table used to store tokens 
5 from biomctric information in accordance with one preferred embodiment of this invention. 

Figures 3A and 3B together present a process flow diagram depicting a sequence of 
events in a cliallengc-response auliientication method of the present invention. 

Figure 4 is a block diagram depicting basic components of a fingerprint capturing unit 
and an associated wireless telephone in accordance with a preferred embodiment of the present 
10 invention. 

Figure 5 is a flow diagram depicting a fingerprint matching technique tiiat may be 
employed wiili the present invention. 

Figure 6 is a block diagram of a central authentication system for processing biometric 
information from a mobile telephone in accordance with one embodiment of the present 
15 invention. 



Detailed Description of the Preferred Embodiments 

The present invention is described herein in terms of a wireless telephone system. 
The invention is not so limited. For all purposes of this current invention, the tcnn 

20 *\vireiess telephone*' (or "wireless communication system") generically will be understood 
to include cellular phones, personal communication systems, telephones, personal digital 
assistants, wireless personal computers, wireless notebooks, etc. using analogue or digital 
electronics technology. While the present invention is currently envisioned as providing 
substantial benefit to wireless communications, there is in principle no reason why it could 

25 not be applied to communications generally. Any communication that could benefit from 
authentication may be implemented with the present invention. Such communications 
include those made over a wire-based telephone system and employing an account code. 

TIic communications allowed over the communication system will sometimes be 
referred to herein as **calls." Examples of communications (calls) within the context of tliis 
30 invention include (a) analog transmissions such as telephone calls transmitting analog voice 
data over a wire medium or a wireless medium and (b) digital transmissions such as 
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packciizcd messages over a network (LAN, WAN. Iiucrnei, etc.) and digiial voice data 
over a wireless medium. Communicaltons involving packclized transmissions may be 
connection-based transmissions such as TCP or conneciioniess transmissions such as 
UDP. 

5 Fingerprint technology including hardware image capture, software image 

processing, sollvvarc/hardwarc lor hngcipnni data storage and soUware iov fingerprint 
analysis/comparison is a relatively mature technology with over 20 years of development 
(sec, for example, U.S. Pal. Nos. 2 952 181, 4 151 512, 4 322 163, 4 537 484, 4 747 
147, 5 467 403, each of which is incorporated herein by reference for all purposes). It is 
10 well-known tiuu no two individuals possess the same identical fingerprint and that accurate 
matching techniques in conjunction with wcil-capturcd images can positively identify an 
individual. The term "lingcrprinf* as used herein refers to handprints, palmprints, and 
other unique skin patterns m addition to traditional fingerprints. 

The present invention may employ sophisticated hardware and software lo allow 
15 rapid fingerprint based identification as described in U.S. Provisional Application No. 
60/025,949, filed on September I i, 1996, naming R. Rao, S. Subbiah. Y. Li & D. Chu as 
inventors, and previously incorporated by reference. That application describes an 
extremely small, low-cost fingerprint capture hardware module that lends itself to ready 
insertion into many devices. The referenced Provisional Application was incorporated 
20 herein by reference ibr all purposes and is illustrative of the maturity of tiie fingerprint 
capture and comparison icclinology. 

FIG. I shows an apparatus tiiat may be used to process a wireless call in 
accordance wiiii the principles of the current invention. A fingerprint capturing device 
("FCPD") 101 (such as that described in U.S. Provisional Application No. 60/025,949. 

25 previously incorporated by reference) with an on-board CPU for processnig and 
comparison of the captured fingciprint image (sec FIG. 4) is connected to the wireless 
telephone 102. This connection may be by any method, i.e. via a telephone modem or a 
data port specifically built-in to the wireless telephone 102, an acoustic coupler, or the 
direct incorporation of tlie fingerprint module 101 into the wireless telephone 102. 

30 Preferably, the module 101 can be incorporated within telephone 102 such that a standard 
mobile telephone casing may house all electronics for operation of the telephone and 
fingerprint processing. In an especially preferred embodiment, the eiecironics for 
processing both the fingerprints and the telephone calls arc provided on a single integrated 
circuit chip. Tiiis makes it especially difficult to tamper with the system by, for example, 

35 intercepting signals between fingeiprint capturing module 101 and telephone 102. 
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In one cnibodinicni of ihc invention which employs a protocol similar (o thai ol" 
conventional wireless systems, each phone is provided with a MIN and ESN. When the 
user dials a telephone number using a keypad 1 12 on the wireless telephone 102. li)e MIN, 
ESN, and the number of the parly being called is transmitted to a Mobile Swiicliing Ccnier 
5 (MSC) 103 of a wireless carrier 104. In response, MSC 103 performs the standard 
vcrilicaiion ol (he MIN ;iikI ESN as wcil-knovvn in the an (sec for example, lii Wireless 
Comniunicaiions, by T. S. Rappapori, 1996, Prcnticc-llall which is incorporaied iicrein by 
reference for all purposes). If the MIN and ESN belong to a special group of users who 
have previously requested the additional layer of fingerprmt based security with their 
10 .service, the MIN and ESN are sent to a Central Authentication System (CAS) 106 via a 
public switched telephone network (PSTN) or Internet 105 to avoid direct access of CAS 
106 through ihc air interface. This provides additional security for the CAS, 

In response lo the MIN being forwarded by MSC 103. CAS 106 looks up its built- 
in MIN-Cliallcngc Key Database (MCKD) 107 and retrieves an appropriate Challenge Key 

15 (CK 202, FIG. 2) that js associated with that particular MIN. The CK 202 is a token lluii 
has been derived from the uscr^s fingerprint when the user first registered the purcliasc ol' 
his/her phone service. The CK 202 is then used to encrypt a ''challenge" thai is generated 
by the CAS 106. The ciiailenge thai is formulated by the CAS 106 is different each lime 
wlicn it is accessed by the same or different users. The CK 202 and the encrypted 

20 challenge arc then jointly sent lo wireless leiephonc 102 through any available forward 
voice channel (FVC) or forward control channel (FCC) for example. 

After reception of the chaliengc from CAS 106 by wireless telephone 102, the 
challenge is forwarded lo FCPD 10 1 as dclaiicd in FIG. 4. The user's lingcrprint 
information could have been requested by FCPD 101 cither before this pomi and after ilic 

25 usercniered the number of the called party, or at this time point itself. A token, which in 
one embodiment could simply be an encoded collection of a set of unique minutiae/features 
found in ihc fingerprint, is then generated based on the fingerprint information captured 
locally by FCPD 101. As well-known in the art of fingerprint matching, a fingerprint from 
any individual is unique to thai individual and iherefore ihc variety of slightly different 

30 tokens (tokens can differ by a feature or two without any loss in uniqueness) thai can be 
generated can only come from that individual. This is then compared with fingerprint- 
based token CK 202 that was received from CAS 106. If there is a jnalch of the tokens, 
the encrypted message is decrypted by using token CK 202 received from Cy\S 106. In 
other cmbGdiincnts, either or boih tokens could be used lo decrypt the challenge. .A 

35 response (the decrypted challenge) is ihcn sent back to MSC 103 through any of the 
available reverse voice channels (RVCs) or reverse control channels (RCCs). This is then 



9 



BNSOOCID: <WO_981 1750A2_L> 



wo 98/11750 



PCTAJS97/16094 



forwarded via PSTN or liucrnci 105 (for additional security one may limit use of the 
common air interlace as much as possible) back to CAS 106. 

The response from FCPD 101 to CAS 106 contains both the decrypted message 
and a token lhat is generated from the fingerprint image the user supplied. If (I) the 

5 received decrypted message malclics ilic expected response (i.e., llie original unencrypted 
challenge that had been temporarily stored in CAS 106, as detailed in FIG. 6) and (2) tiie 
token received from the FCPD 101 matches ihc CK 202 in the MCKD 107, the call is 
authorized and connected. This double matching method will reduce false positives, it will 
also prevent any illegal attempt that relies only on a decryption of just the encoded 

m challenge, 

II is important to note that tokens generated from the same finger vary every time 
the fingerprint is captured. In a preferred embodiment, if the token sent from FCPD 101 
(via wireless tclcplionc i02^ is identical to that in the database (CK 202) ihc call will not be 
authorized, since it is extremely unlikely that the exact same token will be generated in 

15 subsequent image capture of the same finger. Presumably, such exact token matching will 
only happen if the token had been illegally captured and is being used for illegal access into 
the phone network, in this embodiment, the database may store up to a pre-spceificd 
number of tokens sent by user from wireless telephone 102. If the most current token sent 
from the user is identical to any token from this list, the call is also blocked, since this may 

20 indicate the interception of a particular token sent from user to CAS 106 and used illegally. 
This is a major advantage of the current invention smce the token CK 202 used for 
encryption (in other words ihc secret key lhat is central lo all 'challenge-response' 
authentication methods) can iisclf be broadcast over ihc common air mterfacc or even made 
public. Thus the secret aspect of system described in ihc above-referenced Hodges and 

25 Rubenstein patent may be avoided in one embodiment. To reiterate, by blocking exact 
matches between a newly generated token and a stored token (one embodiment of this 
invention), the illegal capture of the token -CK 202 does not enable third-parties to 
fraudulently initiate calls. This is a clear and substantial advantage over the prior art, and 
derives from the fact that personal biometric information is being used lo generate secret 

30 keys. 

A further advantage is the token's resistance to corruption due to wireless noise. In 
one embodiment, a loss of a few features of the tninutiae set from the token will still leave 
sufficient uncorruptcd features to allow unique matching against another token derived 
from the snmc finger. One could therefore expect a "fuzzy" (non-deterministic) set of 
35 minutiae, lhat will give unique matching. Another advantage of the current invention, 
derives from the fact that the CK 202 tokens can be made public with no ill effects. Thus if 
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the database iVlCKD 107 is stolen or attacked by computer hackcis and vimscs, as long as a 
backup copy of the database MCKD 107 exists at a remote and secure mirror-site, there is 
no lasting negative consequence (so long as exact matches with prior stored tokens require 
that a call be blocked). 

5 FIG. 2 sliows a lypica) structure for ihc MIN-Cliallcngc Key Database 107 

("MCICD") in accordance with one embodiment of this invention. A CK 202 is stored in 
association with each MIN 201. Additional instructions or restrictions on the use of each 
MIN 201 can be stored in a special insimciion section (SIS) 203, These may include, for 
example, blocks on long distance calls to certain localities, restrictions on calls over a 
10 certain dollar amount, etc. In addition, MCICD 107 includes a column 204 for storing 
recently received tokens from FCPD 101. Anytime that a received token exactly matches 
one of the tokens stored in column 204. the call may be blocked. 

The CK 202 is a lokcn that is generated from the fingerprint that the user initially 
provided when registering with the phone company. This token contains information 
15 peninent to the fingerprint minutiae information thai has been embedded so as to ensure that 
if stolen it would not lead to a loss of the original fingeiprint itself. 

Since fingerprint images vary slightly from print to print, such tokens from the 
same finger at repeated times will be different. Also, depending upon the format of 
fingerprint mmuiiac in the tokens, two separately generated tokens of the same print will 

20 not from the outside appear similar - only when fingerprint matching algorithms for 
comparison arc applied to both tokens generated from different impressions of the same 
finger can both tokens be deemed to be from the same fingcrpnnt. Thus simple possession 
of a token from a given fingerprint will not enable anyone to generate other different tokens 
corresponding to a different fingeiprint impression from the .same finger. This renders the 

25 method very robust and tamper proof. 

Token matching first requires extraction of the fingeiprint minutiae from the lokcn. 
Tliese arc then compared by matching their two-dimensional coordinates. If the 
coordinates match to within a defined tolerance, the tokens are deemed a match. .As 
explained below, tokens may be provided with a timcstamp as an extra security measure. 

30 As known in the state of the art, many fingerprint matching schemes involve the 

generation of inter-minutiac-based keys (i.e., distance vectors, etc.) that while being generally 
snnilar, will vary between multiple impressions of the same finger. Various inter-minutiae 
disiance-vcctor-derived formats arc known in the art. Many of these (as well as variations on 
them) may be suitable for generating keys in accordance with this invention. Such keys may, 

35 of course, also serve as tokens such as CK 202 in this invention. Suitable matching schemes 
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arc described in, lor example, US Patent No. 4,747,147 issued to Sparrow on May 24, 198S, 
US Patent No. 5,493,621 issued to Matsumura on February 20, 1996. and information 
provided at ilic World Wide Web site www.Luccnt.Com/Prcss/0597/niinul-GAF. Each of 
these documents is incorporated herein by reference for all puqioses. A typical description of a 
5 processed fingerprint is a list of x, y and angle tabulation of each minutia. Minor modification 
io iiicsc linear values (c.^., aduiiig bligiU laudoiii uiNpiacciiiciii:>) wiii biiii reficcL liie same 
underlying fingerprint, allowing for variation during multiple impressions (e.g., slight 
distortions and rolling during the pressing of the finger). Thus, using straightforward minutiae 
tabulations as tokens is susceptible to minor modification that could result in illegal phone 
10 access. 

A different and frequently used description of fingciprint information is the inier- 
minuliae distance vector information. Such descriptions are inherently non-linear in nature and 
so when tabulations of these arc randomly or systematical I y modified (i.e. without explicit 
knowledge of the iniiercni non-linearity) in minor and linear ways, the new modified tabulation 
15 will not, in general, rcncct the underlying original fingerprint, even when allowing for 
variation between multiple impressions of the same fingerprint. 

Thus, use of such intcr-minutiae distance- vector-derived keys (tokens) for matching 
purposes will foil wireless fraudsters who may somehow illegally capture the transmitted 
and encrypted fingciprini information and try to use the exact same keys to fraudulently 

20 activate phone calls. That is, in general legal phone use, one expects the transmitted 
fingerprint keys to be somewliat different each lime, and different in a way that makes 
sense with respect to the fingeiprint. In illegal use, where the encrypted keys are captured, 
deciypted and rc-iransmitlcd, the repealed use of a set of exact same identical keys can be 
readily detected. Any minor modification of the keys, without specific prior knowledge ol 

25 non-linear relationships \n order to be true has to be compatible with the tme fingerprint and 
thus leading to the detection of such fraudulent use. 

The advantages of using a central authentication platform and a "challenge- 
response'* authentication method are described in U.S. Patent No. 5,420,908 described 
above. However, the "challenge-response" authentication suggested in that patent differs 

30 significantly from the current invention in at least two ways: First, the patent suggests a 
shared secret key (S-kcy) between tiie wireless phone and the central authentication system. 
This necessarily requires a specialized mcmoiy chip that can store the S-key to be part of 
the wireless phone itself. Therefore, in the event that the wireless phone is lost or stolen, 
illegal calls can be made from the phone unless special instructions to block such newly 

35 illegal calls have been sent to the central authentication system. The current invention, in 
contrast* relics on information that is stored at the user's fingertips itself, and therefore 
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docs not require ihc wireless phone unit itself lo slorc any secret key/information. 
Consequently, a stolen or lost phone cannot be used illegally. Second, the challenge- 
response method described in the '908 patent docs not tfansmit the S-key itself over tlx air 
interface. The present invention may allow transmission of the "secret" key through the air 
5 interface; because the present challenge-response authentication scheme is not dependent on 
the "secret" key per sc. In a preferred embodiment, however, the key (CK 202) is kept 
secret by some acceptable technique such as sending the challenge and response over 
variable channels unrelated lo the voice transmission and/or providing additional encryption 
of the keys themselves. 

10 By using personal biometric information, like fingerprints, the present invention 

may overcome the major drawbacks of the generic "challenge-response" authentication 
schemes as typified by llie '908 patent method. 

FIGS. 3A and 3B present a flow cliaa of one typical sequence or cvcnis in a 
"challenge-response" authentication of this invention. The user begins the process at a step 

15 300 by dialing a telephone number using the keypad 112 of the wireless telephone 102. 
The MIN, ESN. and the phone number of the party being called are transmitted to MSC 
103 at a step 301. At a branch point 302, as in a conventional sy.stcm, jVISC 103 either 
confirms the legitimacy of the MIN-ESN pair and goes lo a next step 303, or blocks the call 
at a step 3 1 5. At a brancii point 303. the MSC determines if the user of the MIN requested 

20 additional security. If the result is NO, the call is connected just as routinely done in a 
conventional system at a step 316. If the result is YES, the MIN is sent to the CAS 106 ai 
a step 304. 

In a step 305, CAS 106 accesses iMCKD 107 and requests token CK 202 that is 
associated with the MIN. CAS 106 then generates a challenge that is different each time. 
25 This is then encrypted with the token 202 in a step 306. The CAS 106 sends token CK 
202 and the encrypted challenge to the wireless telephone via a step 307 using PSTN or 
Internet 105. Additional layers of security can be added to the encrypted challenge and CK 
202 if so desired. For example, tiic encrypted challenge can be sent to the mobile wireless 
phone over a different wireless forward channel. 

30 In a step 308, the user gives his/her fingerprint to the FCPD 101 and this is used to 

generate token. In certain variations, step 308 can be performed at any point after step 301 
and the generated token stored in a mcmoi^ 404 (FIG. 4). After the cnci^ptcd challenge 
lias been sent to phone 102 and a token has been generated from ihc user's fingerprint, 
FCPD 101 compares the generated token with the token it received from the CAS 106 at a 

35 conditional branch point 309. If they do not match, the call is blocked at a step 315. In 
one embodiment, whenever a call is blocked the token sent by FCPD 101 of the callers 
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fingcipnnl can be lorwaidcd via MSC 103 through CAS 106 and specially stored for later 
criminal investigation of fraudulent phone use (step 318). If they match, the token received 
from CAS 106, or in other cinbodiincnts both tokens (including ilic one generated at the 
phone), is used 10 decrypt the challenge sent from CAS 106 in a step 310 (begin FIG. 3B). 
Tlic FCPD 101 then sends both the now-dccrypicd challenge and Uic locally generated 
token {from ihc wNc: ;; lingcrpriiU captured on FCPD lOT) back to CAS 106 by way of 
MSC 103 via a step 3 1 1. 

Generally, the niveniion's direct mapping of individuals personally to the phone 
calls they make also allows the mapping of callers who attempt unsuccessful bi cak-ins into 
the wireless phone system. Permanent records of the tokens generated from the 
fingerprints of callers attcmpiing illegal entry can be kept, if desired, for further criminal 
investigation. More ijnporiantly. the mere idea of the potential of being caugiu when 
illegally using someone else's phone may greatly reduce phone fraud. 

After receiving the decrypted challenge from FCPD 101, CAS 106 compares it with 
the challenge stored in a CAS lcmi)orary memory 607 (FIG. 6) at a conditional branch 
point 312. If the match is not successful the result from step 312 is NO and the call is 
blocked at a step 315 and then step 3 1 8 may be pemiitted if so desired. If there is a match 
the result is YES and the process moves on to a conditional step 313. At this step, CAS 
1 06 compares the token generated from the user's fingciprint captured and sent by FCPD 
20 101 to one or more .stored in its dalaba.se 107 at column 202. If these tokens do not match, 
the call is blocked, again at step 315 and step 318 is optionally performed. This second 
matching of the tokens (note that they were initially compared at step 309) is provided for 
additional security and may be dispensed with if desired. 

Next, at an optional decision sicp 320. CAS 106 compares the token received Irom 
25 FCPD 101 with one or more .stored tokens which were previously received from FCPD 
101 and CK 202. These previously received tokens are preferably tho.se stored in column 
204 of database table 107. If it is found that Uie most recently received token exactly 
matches one of the tokens stored in columns 202 and 204 of database 107, the call is 
blocked at step 315 (and step 318 is optionally performed). As noted above, tokens are 
30 generally not identical if they capture a Hngcrprint with sufficient resolution because each 
fmgcrprint from a given nidividual will vary slightly (e.g.. the minutiae may be slightly 
offset from one another). To ensure authentication in the case where a given nidividual 
actually does give two identical legitimate tokens, the system may only block the call if two 
or more successive tokens exactly match one or more of the stored tokens. 

^5 If ihe tokens match at step 313 but not identically (optional step 320). the call is 

authenticated for connection at a step 314. Thereafter, at a step 3 1 6. the process returns to 
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ihc roulinc prcscni-day calling protocol lo complete the connection. If needed, allowance 
for failed authentication due to severe token corruption from wireless noise etc., can be 
made by having the protocol automatically rc-try ilie entire procedure at step 304, The 
entire process exits at a step 317 and ends the illustrated flow-diagram. 

5 In a further prcfcncd embodiment, the Jormat of the embedded fingeiprinl minutiae 

contains a limeslamp specifying the time at which liic uscr*s fingeiprint was taken. The 
CAS would then deny access if the limestamp was not from an appropriate window in lime 
(chosen lo allow for a reasonable delay between transmission of the challenge and receipt 
of the newly generated fingerprint token). If a person should intercept the user's 
10 fingerprint token, not only would he/she have to extract the fingerprint minutiae, but he/she 
would also have to properly update the limestamp in order defeat the system. In some 
embodiments, the CAS only checks for limestamp, rather liian examining the newly 
received token for an exact maicli lo some multiple previously received tokens. 

FIG. 4 is a diagram presenting one embodiment of the FCPD 101 and its 
15 interconnection with the wireless telephone 102 (FIG. I). The illustrated FCPD 101 
contains a fingerprint imager 417 for converting a fingeiprinl from a finger 415 into an a 
fingerprint image. FCPD 101 also includes a CPU (central processing unit) 401 that can 
.supply all the computational needs of the "challenge-response" authentication process, and 
more importantly all necessary processing of fingerprint images and their subsequent 
20 comparison. An interface port 402 and a data bus line 403 are together capable of handling 
all the communications between 'various parts of FCPD 101 and wireless telephone 102. 
This includes all types of serial interfaces and voice channels for transmitting and receiving 
data. A memory module 404 stores at least those items necessary to the operation of FCPD 
101 including: I) a sofiwaic program 405 which contains program codes for fingcrprini 
25 image processing, matching, decryption of the challenge, ai^d ihc generation of responses; 
and 2) a response storage unit 406 which temporarily stores the respon.se before sending it 
to the CAS 106. 

CPU 401 can be any suitable integrated circuit or electronic design including 
multichip modules and circuitry formed on printed circuit boards. If it is an integrated 
30 circuit, it may a general purpose microprocessor, a logic device such as an application 
sp)ecific integrated circuit (ASIC), etc. Examples of suitable ASICs include gate arrays, 
simple and complex programmable logic devices (PLDs), digital signal processors (DSPs), 
and field programmable gate arrays (FPGAs). 

In one embodiment, fingerprint imager 417 includes a fingerprint capture surface 
35 such as a window or capacitor array which produces an image of the user's fingeiprint 
when the user places his or her fmgcr thereon. In addition, imager 417 includes the optics 
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necessary ditx:cl an optical image ol the liiigerpriiu onto a .solid state imager whicli also 
forms pan of fingerprint imager. The .solid state iinagcr, which is preferably a CCD array 
or a CMOS pliotodioJc/photogalc array, generates an electronic image of the user's 
fingcrpiint. II ilic .solid stale imager is a CMOS phoiodiodc/phologalc arjay, it may be 
provided on single integrated circuit together with processing logic such as CPU 40 1 
Further del;::!:; o! Mwtablc ojiiicai fiiigcipiini imagers arc provided in U.S. Provisional 
Application No. 60/025.949, "Embeddabic Module for Fingerprint Capture and Matching." 
filed on September 11. 1996. and naming R. Rao. S. Subbiah. Y. Li & D. Chu as 
inventors. In an alternative embodiment, imager 4 17 may be a capacitor array formed on a 
semiconductor substrate such as lliat described in the May 22, 1997 edition of the San 
Francisco Chronicle, "New Chip Verifies Fingcrpri.us" which pertains to a product of 
Veridicom Corporation. In another aiicrnativc embodiment, imager 417 may be an 
ultrasonic mechanism formed on semiconductor substrates. 

It is important to note here an advantage over the "challenge-response" 
authentication mcdiod presented in U.S. Pat. No. 5.420.90S (referred to as the Secret- 
Key). In the present invention, "key " need not be persi.slently stored in the FCPD 101 
module. Therefore the wireless telephone cannot be u.scd by any other u.ser even when it is 
lost or stolen. 

In a preferred embodiment, telephone 102 is a conventional wireless telephone. It 
20 communicates with FCPD 101 over a connection line 407 which may be a parallel or serial 
connection. Telephone 102 may contain a key pad 411, all necessary telecommunication 
functions 413 (including a stored MIN and provisions for generating a dialed number from 
key pad inputs), data bus lines 412, and an interlace port 410 for communicating with 
FCPD 101 (over connection line 407) and with wireless stations such as an MSC. It is 
25 imporiani to note that interface port 410 should be capable of interfacing not only voice 
communication signals (lor standard mobile phone operation), but other communication lor 
control between the CAS 106 and the FCPD 101 to complete the "challenge-response" 
auihcnlieation. In a preferred embodiment, interface port 410 is capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency from a 
30 communications channel which sends and receives the wireless communications (e.g.. 
voice data). 

Preferably, FCPD 101 is integrated directly within the casing of a conventional 
wireless telephone or other communication source. The only distinction being the presence 
of a fingerprint capture window on the side of the telephone and accessing imager 4 1 7. In 
35 an especially preferred embodiment, a single integrated circuit provides most of die 
functions of FCPD 101 and telephone 102. These functions include, for example, CPU 
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401, mcmoi7 404, and iclccom I unctions 413. As functions from both FCPD 101 and 
telephone 102 arc provided on ihc same chip, interface port 402 and connection line 407 are 
not required. A modified version of interface port 410 having only the functionality 
necessary to communicate with other wireless stations (not FCPD 101) may be employed 
5 on the integrated circuit. This single cliip embodiment has the advantage an extra layer of 
security as thieves will be unable lo directly monitor signals crossing connection line 407. 

If fingerprint imager 417 is a CMOS imager, ii may integrated with other 
components on the integrated circuit. If imager 417 is a CCD array, it typically will have to 
be provided on a separate chip. 

10 Suitable design parameters of FCPD 101 can be specified based upon the general 

requirements of fingerprint analysis and matching algorithms. A typical human fingerprint 
has an aspect ratio of about three to iwo; that is, it is one-half times as long as it is wide. 
The average fingerprint has about 50 ridgclincs sc[)aratcd by intervening valley lines lhai 
are about equally as tiiick. Generally the lines run from left to right and as they do ihcy 

15 first traverse upwards and later downwards. Given this amount of information, the Federal 
Bureau of Investigation has suggested that fingerprint detection systems should provide an 
array of 512x512 pixels since it allows for at least four pixels per ridgclinc and four per 
valley line. Preferably, though not necessarily, the imager employed in the FCPD 101 
contains an array of at least 512x512 pixels. Using sophisticated fingciprint imaging 

20 algorithms such as those described in the above-referenced US Provisional Application 
60/7025,949, significantly smaller arrays can be employed. In one embodiment, the array 
may include 240x160 pixels or, in anther embodiment. 120x160 pixels. Tiie u.sc of such 
small arrays has ihc advajitagc of requiring (1) less processing resources from CPU 401 
and (2) less space from memory 404 during processing of a large array of fingerprint data. 

25 Accurate fingerprint matching technology, which is well-known in the art (sec, for 

example, U.S. Pal. No, 2 952 181, 4 151 512, 4 322 163, 4 537 484, 4 747 147, 5 467 
403 which were previously incorporated by reference), has for over a hundred years relied 
on the extraction and subsequent comparison of specialized features called minutiae. 
Minutiae are essentially of two equally frequent types - cither the abrupt ending of a line in 

30 the middle of the fingerprint or the fusion of two lines to create a Y-shaped junction. 
Typically there are about 60 or 70 such features in a fingerprint and it is the relative location 
of these from each other that creates a unique spatial pattern that statistically no other human 
can possess. 

Suitable methods of fingerprint matching may involve software processing steps as 
35 illustrated in FIG. 5. After capturing the fingerprint image (step 501). a contrasting 
algorithm (step 503) reduces all the gray shades of a captured image 502 to cither black (for 
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ridgciincs) or while (for valley lijics) as shown in image 504. Tradilionally these 
aigorithins arc omni-dircciional. Basically, the particular shade of gray at each pixel is 
compared wiili those of the neighboring pixels in all directions and if judged to be relatively 
darker than most of its neighbors it is deemed to be black, otherwise white. After this 
5 contrasting step, the contrasted image 504 is further processed by a thinning algorithm 
{:»icp 5G5). Tiic object iicre is to reduce the black lines from being on average four pixels 
thick to only one pixel thick, thereby increasing the number of white pixels substantially. 
A thinned image 506 is then examined by further algorithms (step 507) that attempt to 
deduce and accurately extract the minutiae and ihcir locations as shown in a map 508. Tlie 
10 process is then completed at 509. All further fingerprint matciung/comparison often relies 
primarily on these 60 or 70 extracted pieces of information. 

Central autiienticaiion system (CAS) 106 is preferably, though not necessarily, 
provided as a server or other node connected to one or more iMSCs over a public switched 
telephone network. CAS 106 may aLso have wireless connection to an iMSC or may even 
15 form a part of the MSC. Generally, CAS 106 must be able to generate and compare 
challenges, access a database of fingerprint based tokens, and communicate with a plurality 
of wireless sources (e.g., mobile cellular telephones) via the one or more jMSCs. 

FIG. 6 is a diagram of CAS 106 in accordance with one embodiment of this 
invention. The design is superficially similar to the FCPD 101 (and the design presented in 

20 U.S. Pat. No. 5,420,908). Connected to CAS 106 arc PSTN 105 and MCKD 107. CAS 
106 must be able lo handle, simultaneously, many calls from many wireless carriers. It 
includes a memoiy 605 including a persistently stored program 606 and various 
temporarily stored items including a challenge 607, a response token 60S. and a decrypted 
message 609. Program 606 coniains the mstructions for generating a challenge, encrypting 

25 the challenge with a fingciprini ba.sed token, validating a decrypted challenge (e.g.. by 
comparison with the generated challenge), fingerprint matching based on tokens, and. in 
some embodiments, comparing a response token with one or more stored tokens and 
further assuring that tokens arc not identical as that would imply illegal use. Response 
token 60S is a mcmoiy entity containing the token sent back from the FCPD 101 in the 

30 wireless telephone 102 before token matching is conducted. When a new token is provided 
from FCPD, stored token is updated. 

In addition. CAS 106 includes a CPU 602 for controlling the execution of a 
program 606, accessing memory 605, communicating with the MSCs over the PSTN. 
Communication over the PSTN is provided through a data interface 601 in CAS 106 which 
35 is connected to the PSTN over a line 105. In addition, CAS 106 communicates with 
iMCKD database 107 through a database interface 603 as shown. CPU 602, memory 605, 



18 



WO98/il750 



PCTAJS97/ld094 



database inicrJacc 603, and data inlcjiacc 601 arc communicate with one another over a data 
bus 604. 

In a preferred cnibodiiiicni, ihc initial registration of the plionc-owncr's ringcrprint 
at the CAS 106 lo create the appropriate entry into the MCKD 107 need not require tlie user 
5 lo visit the ccniral phone service provider. When the phone-owner purchases or rents the 
wireless phone at any local phone store he or she can use the FCPD 101 on the newly 
purchased wireless telephone 102 itself to activate registry at the CAS 106 via the common 
air interface and MSC 103. The phone's ESN and MIN can be sent along with the owner's 
fingeiprint and placed in ihe CAS database for future use. 

H) hi ycl anoiiicr cmbodimcni of tlic present invention, multiple users can be permitted 

10 use ihc same wireless phone. All lhal is required is that Ihc MCICD 107 at tlic CAS 106 
be allowed lo coiuani multiple CKs 202, one generated from each user of the same piionc. 
Such authorization can in principle be aciivatcd/iniliaLcd by the phone owner serving as a 
master user who can at any time recruit additional users lo be able to use their phone. By 

15 activating appropriate buttons on the phone, the master user can in principle aciivaic the 
phone and the CAS 106 lo receive a newly recruited users fingerprint for association wiih 
the master user's entry in ihe MCICD 107. The master user can remotely authorize this 
action by simply validating it with his/her fingeiprint. Again by engaging a pre-defined 
sequence of buttons on the phone the master user could also in principle remove previously 

20 authorized co-users. 

In a iurihcr enibodimem ol ihe present invciuion. the phone owner could use n)ore 
than one fingerprint as a means lo authenticate his/her identity. The MCKD 107 can be 
arranged to contain information regarding more than one fingerprint ol* the owner. In fact, 
if additional password- 1 ike seeuriiy beyond fingerprint security is desired, ihc owner can 
25 provide niukiplc fingerprints from different fingers in a particular secret order. This can 
serve as a "password" known only lo the owner. 

In one use of the current invention, the traditional jMINs and ESNs associated wiih 
wireless phones arc no longer required. The wireless telephone 102 will have an integrated 
FCPD 101. When a user dials a number, the number of the party being called and the 

30 token generated from the fingerprint of the user on ihe FCPD 101 will be sent to the MSC 
103 and then forwarded to the CAS 106 for authentication based only on the fingerprint 
token of the user for billing and authorizaiion purposes. Because each fingerprint token 
generated from the same finger will be different, a token intercepted from the common air 
interface can not easily be used for fraudulent use of wireless telephones. If a particular 

35 token generated from a fingerprint is captured illegally from the air interface and 
subsequently used repeatedly to authorize illegal calls, this can be detected very easily by 
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the CAS 106 since ii would in normal circumstances expect somewhat different and varied 
tokens being generated from llic same fingerprint. Because such variations in the generated 
token arc intrinsic to the way fingciprint infonnation is distributed on the finger itself, these 
variations cannot be gleaned from illegally capturing one lokcn common from ihc common 
5 air interface. Tlial is, tokens generated from the same fingeipriiu at different impressions 
on liic FCPD 101 Will v.iry so 'rliiii iiicrciy ivavir#g ilicgaily captured oiic ol il'icsc vrinaiioiis 
will not enable the gcncralii>n i>f varied tokens ihat are siill mcaningliilly rclalcti hi Ihc 
original fingerprint. The only thing that can be done is lo use the exact same illegally 
captured token to make illegal calls, but that can be easily detected. Thus il is possible iliat 
10 the systems of this invention can allow any user to use any wireless telephone to place 
calls. 

In another use of the current invention, the identity of liie user can be authenticated 
for the purpose of identifying the caller's personal identity rather than merely the phone 
number from the caller initiated the call - i.e. the source terminal-ID. In one embodiment of 
15 the present invention, at step 319 (FIG. 3). the caller's personal identity as determined by 
the CAS 106 can be made available to the call control entity or the recipient of the call. 
Based on the prior knowledge of who the caller is (and not just merely what phone number 
the caller is calling from) the call recipient may elect lo block the call even after it has been 
authenticated as being non-fraudulent at step 314. 

Tlic current invention also provides a method for the identification of the caller 
(caller ID) originating the piione call. In recent years, caller ID technology (where the 
phone number of the caller's phone is automatically revealed to the call control entity or the 
recipient of the phone call in a manner that allows the recipient to screen his or her calls) 
has become increasingly commonplace, in effect, caller-ID as practiced today is really 
terminal-ID (ihcID of the callers phone; and not really the personal identity of the caller. 
With the present invention, wireless and traditional wired phones that have the built-in 
capacity to capture/compare fingerprint information and communicate with an MSG for 
autliorizatton can allow the caller to be personally identified (rather than simply the caller's 
phone number ) to the call control entity or the recipient for call screening or other 
authentication purposes. Indeed, both the callcr-ID and the terminal-ID can be jointly 
authenticated for an even higher level of security in phone networks. 

As mentioned, the technology described herein may be employed in contexts other 
than cellulai' telephone systems. For example, the invention may be employed to ensure 
secure access lo a vehicle wiUi a wireless security system. Many automobiles now employ 
35 wireless systems to allow remote control of door locking, automotive alarm systems, 
lighting, etc. wiihin the automobile. When the owner approaches his or her car, he or she 

20 
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can unlock ihc car doors or aciivaic/inaciivalc other car systems before actually rcacliing the 
car. This is accomplished with the click of a button on a wireless control module. 
Unfortunately, if such a module falls into the hands of a thief (or if the wireless signal is 
illegally captured through the air and decoded), he may be able to circumvent the car's 
5 security mcchanism(s) and obtain control of the car. The present invention provides a 
mechanism to proicci against this possibility. 

Wireless car security sysicjnis of this invention may employ a wireless control 
module (source) containing the logic necessary for capturing and transmitting a token based 
upon a user's fingerprint. The logic may be contained within a module as described above 
10 with reference to FCPD 101. Generally, the vehicle il.self may provide most of the 
functionality described above with reference to CAS 106. Of course, it need not provide 
access to a PSTN or database 107. However, it siiould include a finger print token of the 
car operator and po.ssibly multiple recently received tokens so that access may be blocked if 
the token exactly matches a received token. 

15 The vehicle protection mechanism of this invention may operate as follows. First, 

the system on board the vehicle determines that a request for access to the vehicle lias been 
initiated from a wireless source. Next, the vehicle system determines whether the source 
fingeiprint data provided at the wireless source matches stored fingciprint data provided for 
the vehicle. Access to the vehicle is then peiTniited (e.g., car doors arc unlocked) if the 

20 source fingerprint data matches the stored fingerprint data. In some embodiments, the 
wireless source may prompt its user for a fingerprint from which to generate the source 
fingerprint data. 

In especially preferred embodiments, a full challenge-response protocol as 
described above with reference to Figures 3A and 3B is employed. This may involve 

25 generating an enciypled challenge from a challenge and a token based on tlie fingerprint 
data stored with tlic automobile. Then, the encrypted challenge and the stored fingerprint 
token arc sent to the source where the stored and source fingerprints are compared. If they 
match, one of the fingerprints is used to decrypt the encrypted challenged. Ti^c now 
decrypted challenge and the source fingerprint data arc then sent back to the automobile 

30 where the decrypted challenge is confinned and the source and stored fingciprints are again 
compared. If all tests are passed, access to the automobile is permitted. 

While the present invention has been described in terms of a preferred emliodiment 
and certain variations thereof, the scope should not be limited to the specifics presented 
above. For example, while the system of this invention has been described as including a 
35 central authentication system separated from a mobile switching center by a public switched 
telephone network, the invention may be implemented by providing the central 
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auihcniicalioii .system wiihin ihc mobile swiiching center. In this ciisc, it may be necessary 
lo provide a mcchanisn) for regularly updating the aulhcntication system at each mobile 
switching center. Further, the invention may be advantageously employed in systems that 
do not employ a secret key. Importantly, the invention may rely on biometric information 
5 other than fingerprints. Examples of such alternative biometric information include, but aie 
!^ot liiiiitcd iQ, a i!.scr*s voice, personal i!^^o^!^^Ilt!Gn, phctograpi's, iiand shape and retina 

Many sin^ilar variations on ihc above-described preferred embodiment, may be 
employed. Therefore, the invention should be broadly interpreted with reference to the 
following claims. 

10 
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CLAIMS 

what tx claimed is: 

1 . A inciiiod for aulhciuicating a call to be made over a communication system, 
5 the method comprising: 

(a) determining that liie call has been initialed from a source; 
th) dcicrnnning whether source iingcrprini data provided iVorn said source 
matches stored J ingcrprinL data associated with said source; and 

(c) if said source fingerprint data matches said stored fingerprint data, 
10 allowing said call to be completed. 

2. The method of claim i, wherein tlic communication system forms :U least 
part of a wireless telephone network. 



15 3. The method of claim 2, wherein the call initialed irom the source may be 

forwarded through any of a plurality of mobile switching centers. 

4. The method of claim 2, wherein said source is a mobile cellular telephone. 

20 5. The method of claim 4, wherein determining that a call is being initiated 

includes detecting transmission of at least one of a mobile identification number (MIN) and 
an electronic serial number (ESN) associated with the mobile cellular telephone. 

6. The method of claim 5 further comprising confirming that said at least one 
25 of the MIN and the ESN is valid. 

7. The method of claim I further comprising; 

requesting that said source fingerprint data be provided from the source of 

said call. 

30 

8. The method of claim I, wherein said fingerprint data is provided in an inter- 
minutiae distance- vector-derived format. 

9. The method of claim 1 , further comprising: 

35 encrypting a challenge with the stored fingciprint data to produce an 

encrypted chalicnge; and 

providing the cnci7pted challenge to the source for the purpose of 
decrypting by the source with the source fingerprint data. 
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10. Tlic method of claim 9. wherein the step of determining whether the source 
and stored fingerprint data match comprises: 

receiving a decrypted challenge from said source, wliich decrypted 
5 challenge has been decrypted with the source fingerprint data; and 

comparing ihc challenge with the decrypted challenge from the source. 

I I . The method of claim 1, further comprising: 

determining wiicthcr the source fingciprint data is identical to one or more 
10 instances of sample fingerprint data prcviousiy received; and 

if the source and any one of the instances of the sample fingerprint data arc 
identical, preventing the call from being completed. 

12. The method of claim I, where the fingciprint data is provided in a 
15 timestamp. 

13. A method lor accessing a vehicle witii a wireless security system, the 
method comprising: 

(a) dclcrmining that a request for access lo the vehicle lias been iniiiaicd 
from a wireless source; 

(b) determining whether source fingerprint data provided at said wireless 
source matches stored fingerprint data provided for the vehicle; and 

(c) if said source fingerprint data matches said stored fingciprint data, 
allowing access to the vehicle. 

14. The method of claim 13. further comprising prompting a user of said 
wireless source for a fingerprint from which lo generate the source fingerprint data. 

15. The method of claim 13. wherein the stored fingciprint data is stored in the 
30 vehicle. 

1 6. The method of claim 13, wherein the vehicle is a car and allowing access to 
the car comprises unlocking the car. 

35 1 7. A method for authenticating a call to be made over a communication system, 

the method comprising: 

(a) transmitting a dialed number to a switching center on said 
communication network; 

24 
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(b) receiving a user's fingcrpriiu: 

(c) gcncratini: source fingerprint data from said user's fingerprint: and 

(d) if the source fingciprint data matches stored fingeiprint data associated 
with user, completing llie call. 

1 The method of claim 17, wlicrcin the communication system forms at least a 

part of a wireless telephone network. 

19. The method ol* claim IS, wherein (a) through (d) arc performed by a mobile 
10 cellular telephone. 

20. The method of claim 17, further comprising: 
iransmiiiinc; at least one of a MIN and an ESN to said switching center. 



15 21. The mctliod of claim 17, further comprising: 

prompting the user to provide a fingerprint. 

22. The method of claim 17, whcreni generating source fingerprint data 
provides the source fingerprint data in a format comprising inter-minutiae distancc-vccior- 

20 derived information. 

23. The method of claim 17, further comprising: 

determining wliclher the source fingerprint data matches the stored 
fingerprint data prior to completing the call. 

25 

24. The method of claim 23, wherein the stored fingerprint data is provided 
from a database on a public switciied telephone network. 

25. The method of claim 17, further comprising: 

30 receiving an encrypted challenge from the switching center; 

decrypting the encrypted challenge with the source fingerprint data to 
produce a decrypted challenge; and 

transmitting said decrypted challenge to the switching center, such that if the 
decrypted challenge is found to match an unencrypted challenge, specifying that the source 
35 fingerprint data matches the stored fingerprint data. 

26. The metliod of claim 17. wherein generating source fingeiprint data 
provides the source fingerprint data in a format comprising a timestamp. 



25 



wo 98/11750 



PCT/US97/16094 



27. A wireless coinmunicalion device capable of rendering wireless 
communications secure by requiring biomctric information from a user, the device 
comprising: 

5 (a) a wireless communications interface for sending and receiving wireless 

CO !"!! !11 1! n i cut ! 0!1S '. 

(b) a device for capturing Ihc user's Hngcrprint; and 

(c) a processing device capable of converting tlic user's fingerprint to 
source fingerprinl data wiiich can be transmitted. 

10 

2S. The device of claim 27, wherein the device is a wireless telephone. 

29. • The device of claim 28, wherein the wireless icleplione includes a casing 
and provided within said casing arc the device for capturing the user s fingerprint and the 

J 5 processing device. 

30. The device of claim 27, wherein the wireless communications interface is 
capable of sending the source fingerprint data to a remote location. 

20 31, The device of claim 30, wherein the wireless communicalions interface is 

capable of sending and rcceivmg fingerprint data over a data channel which operates at a 
different frequency from a communications channel which sends and receives the wireless 
communicalions. 

25 32. The device of claim 27. wherein the device for capturing the user's 

fingerprint includes: 

a fingerprint capture surface on which the u.scr can place his or her finger to 
produce an optical image of llic user's fingerprinl; 

an imager capable of generating an electronic image of the user's fingerprint; 

30 and 

optics for directing the optical image of the user's fingerprint from tiie finger 
print capture surface to the imager. 

33. The device of claim 32, wherein the imager is sclccled from the group 
35 consisting of CCD arrays and CMOS pholodiode/phologaie arrays. 

34. Tlie device of claim 33, wherein the imager is a CMOS 
phoiodiodc/photogate array which is provided on an integrated circuit together with the 
processing device. 

26 
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35. Tlic device of claim 27, wherein ihc device for capturing ihe user's 
fingcrprini is a capacitor array formed on a semiconductor substrate or an uhrasonic 
mechanism formed on a semiconductor substrate. 

5 

36. The device of claim 27. wlierein the processing device is a CPU. 

37. The device of claim 27, wherein the processing device is capable of 
comparing the source fingerprint data with stored fingciprini data received fiom a remote 

10 location, wiicrcby when ilic source and stored fingerprint data arc found to match, the 
device allows a communication to proceed. 

38. The device of claim 37, wherein the processing device is capable of 
decrypting a challenge received from .said remote location. 

15 

39. A ccniral auUicniication system connected lo a communications network and 
capable of rendering wireless communications secure by processing biometric information 
from a user, the device comprising: 

(a) a communicaLions interface for sending and receiving cLua 
20 communications over said communications network; 

(b) a database interface for accessing a database containing stored 
fingerprint data associated with users of wireless communications devices; and 

(c) a processor capable of determining whether a wireless communication 
from a wireless communications device should be permitted based upon a match between a 

25 fingcrprini taken irom said wireless communications device and stored fingerprint data 
associated the wireless communications device. 

40. The ccniral authentication system of claim 39, wherein the communications 
interface is coupled to a public switched telephone network. 

30 

41. The central authentication system of claim 40, wlierein the data 
communications arc directed to one or more mobile switching centers. 

42. The central authentication system of claim 39, wherein the database 
35 includes, for at least one of said wireless communications devices, a plurality of received 

tokens containing information from fingerprints taken at said wireless communications 
device. 
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43. The cciural auihcniicaiion sysicm of claim 42. wliercin the processor is 
capable of comparing a newly received lokcn from a given wireless communication device 
wiih said plurality of tokens for said given wireless communications device. 

5 44. The ccniral autheniicalion system of claim 39. wherein the processor is 

capable of gcncralini: an encrypted challenge by encrypting a challenge with a lokcn 
coniaining said stored lingcrprint data. 

45. The central authentication system of claim 39, further comprising a memory 
\0 which persistently stores a program allowing the processor to determine whether wireless 

communications from the wireless communications devices should be permitted. 

46. The central authentication system of claim 45, wherein the memory can 
store a challenge and a decrypted challenge so that the processor can determine whether the 

15 challenge and the decrypted challenge match. 
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5 

Cross Reference to Related Applications 

This application claims priority from (I) US Provisional Patent Application No. 
60/025,947 nicd September 11, 1996, entitled METHOD OF USING FINGERPRINTS 
TO ELIMINATE WIRELESS PHONE FRAUD AND TO ASCERTALN A CALLER'S 
10 IDENTITY and naming Y. Li, D. R. K. Rao, and S, Subbiah as inventors, and (2) US 
Provisional Patent Application No. 60/025,949, filed September 11, 1996, entitled 
EMBEDDABLE MODULE FOR FINGERPRINT CAPTURE AND MATCHING, and 
naming R. Rao, S. Subbiah, Y. Li, and D. Chu as inventors. Both of these applications 
arc incorporated herein by reference in their entireties and for all purposes. 

15 

Backpround of tlie Invention 

The present invention relates to security measures for wireless telephones or cellular 
mobile phones. More particularly, the invention relates to authentication methods 
employing biometric information (e.g., fingerprints) to guarantee non-fraudulent use of 
20 wireless telephones or cellular mobile phones. 

As known in the state of the art, wireless telephones or cellular mobile phones arc 
identified by mobile identification numbers (MINs) and electronic serial numbers (ESNs). 
Current protocols for wireless communication, either placing or receiving a calL require 
both the MIN and the ESN to be broadcast through a standard common air interface (CAI) 

25 between the wireless telephone and a mobile switching center (MSC) for authorization and 
billing purposes. However, such information can be easily intercepted and obtained via 
specialized scanning equipment that is readily available. MINs and ESNs captured this 
way can be illegally programmed into other cellular phones for the purpose of placing calls 
that will be billed to the person that the MIN and ESN has been legitimately assigned to. 

30 This type of theft has become a common practice world-wide, and millions of dollars are 
lost to the wireless service providers and law enforcement agencies (US $650 million in 
1995). 

Various methods have been proposed to solve this problem. One method 
(described in U.S. Pat. No. 5,448,760) proposes the idea of requesting a personal 
35 identification number (PIN) each time a call is placed. The PIN can be safely transmitted 
through a different channel. However, this inconveniences the user and many users even 

1 
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forget their PINs. Anoilicr method (described in U.S. Pat. No. 5,420.908) proposes 
monitoring each customcr\s habit or calling pattern (also known as user profiles) and" 
blocking any calls that do not fit the customer's previous calling pattern. However, such a 
method suffers from two problems: (I) the calling pattern of a customer is difficult to 
5 accurately pin point (any time the calling pattern changes a legitimate call might be blocked) 
and (2) it will not successfully block calls from phones that continually change ihc MIN- 
ESN pair that tiicy employ. 

In another method (described in U.S. Pat. No. 5.420,908 issued to Hodges and 
Rubenstein and incoiporatcd herein by reference), a "challenge response" authentication 
scheme is proposed to solve fraudulent use in wireless communication. The proposed 
method includes a central authentication system serving several MSCs which store all 
MINs with associated secret keys that arc used to generate the "ciiallengc response" 
authentication. Maving one central authentication system for several MSCs eliminates the 
need for cross-system access between diffcrcni MSCs. However, for security reasons - 
e.g. power failure, computer hacker attacks, natural disasters - there should be at least one 
additional remote site that maintains a mirror copy of the central authentication system. 
Ideally backup communication between central authentication system and its mirror(s) 
allow both hot and cold backups to dynamically maintain identical copies at all times. All 
MSCs communicate with the central authentication platform through a standard phone line. 
This method also requires each wireless phone to have a device which contains special 
information to generate a correct response to a specific "challenge". Each time that a user 
uses a cellular phone, the MIN and ESN are sent to the MSC just as in the standard 
protocol used in wnclcss communication today. Then the MSC sends the information 
through a secure public switched icicphonc network (PSTN) line lo liic central 
authentication platform. The central system then lakes the secret key which is as.sociated 
with the MIN and generates a challenge which is sent to the cellular phone through a 
different wireless forward channel. The cellular phone then uses its special internal module 
to generate a response to the challenge which is then sent back to the MSC by wireless 
means and then forwarded to the central system via standard PSTN lines. The central 
system then compares the cellular phone's response to the prc-calculated response value it 
expects. If the response is correct the use is authorized. 

Such a system has ceitain advantages and should improve security in wireless 
communication. Although no specific type of secret key was disclosed in the ^908 patent, 
the specified secret keys - including a string of special integers - suffer major drawbacks. 
35 First, computer systems are always subject to intruders/hackers. For example, just recently 
there was the much celebrated case of Tsutomu Shimomura the network security expert and 
his attacker Kevin Mitnick the outlaw computer hacker (In Takedown by John Markoff and 
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T. Shimomura, Hyperion Press: USA 1995). In the case of a break-in or even a suspicion 
of a break-in, all slored secret keys are rendered useless and all the keys need to be* 
updated. This necessarily means that all the users have to visit their service provider in 
person and update their secret key. Second, if only one or a few keys are stolen at any 

5 given time, the system would not be able to detect the theft until the end of each billing 
cycle (if even then). Third, the "challenge" is iMIN-specific, the thieves who capture the 
MIN and ESN through the air interface can also capture the "challenge" and its "response" 
and attempt to crack the secret key. While some encryption methods like RSA can be made 
very secure now, the powerful computers that can be expected to become widely available 

10 in the future may allow secret keys to be cracked with the knowledge of multiple challenges 
and their responses. Still further, with the global computer connectivity, Internet viruses 
have become a major issue and alinost every week there is a new virus that is released, 
particularly from less developed countries. If the central authentication system gets infected 
and the files tampered with, as before, all users have to return to their service provider to 

15 have a new secret key reissued. All these four scenarios are quite likely to happen \n our 
age of high-tech criminals and even-higher tech teenage pranksters. 

What is needed therefore, is an improved security system to protect against 
unauthorized use of wireless communications. The method and associated system should 
provide improved security and be easy to maintain. 

20 

Summary of the Invention 

The current invention expands on the principles and protocols discussed above. 
The relevant extension involves using a token generated from biometric information, the 
users personal fingeiprint in particular, as the secret key in the context of a modified 
25 "challenge-response" scenario. As will be explained, this virtually eliminates all of tl^e 
drawbacks discussed above. Most generally, the invention involves the use of fingerprint 
matching to authenticate a call or other communication over a wireless communication 
network. The matching may be employed at a central location on the network, at the 
personal wireless device, or both. 

30 One aspect of the invention provides methods of authenticating calls to be made 

over a communication system. Typically, both a wireless source (e.g., a mobile telephone) 
and a central authentication node that may service numerous nodes paiticipate in the 
methods ~ although each operates according to its own protocol. 
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An authcnlicalion method implcmcnlcd on ihc central authentication node may be 
characterized by the following sequence: (a) dcieiTnining that the call has been initiated from 
a source; (b) determining whether source fingerprint data provided from the source matches 
stored fingerprint data associated with the source; and (c) if the source fingerprint data 
5 matches the stored fingerprint data, allowing the call to be completed. Matching may 

may also involve decrypting a challenge. In addition to the above basic steps, the 
auUienlication node may request that the source fingerprint data be provided from the 
source of the call, in the case of a mobile telephone system, the call initiated from the 

10 source may be forwarded through any of a plurality of mobile switching centers to reach 
die central authcnlicalion node. That is, the central authcnlicalion node may serve multiple 
switching centers. In a preferred embodiment, the central authentication node accesses the 
stored fingerprint data from a database that associates particular users' accounts with their 
fingerprints. The fingerprint data (from the source or stored database) may be embedded in 

15 a token having a format making it difficult to extract the fingerprint data. In one 
embodiment, that token format may be an inter-minutiae distance-vector-dcrived format 
such as one of the formats commonly employed in the art. 

In one specific embodiment, the method also involves (a) encrypting a challenge 
with the stored fingerprint data to produce an encrypted challenge; and (b) providing the 

20 cnciypted challenge to the source for the purpose of decrypting by the source with the 
source fingerprint data. The step of determining whether the source and stored fingerprint 
data match preferably involves (i) receiving a dcciypted challenge from the source, which 
decrypted challenge had been decrypted with the source fingerprint data; and (ii) comparing 
the challenge with the decrypted challenge from the source. If the two match, then it is 

25 assumed that the stored and source fingeiprints also match and Ihe call is allowed to 
proceed. 

In a particularly preferred embodiment, the method involves a further security 
feature to avoid use of a stolen fingeiprint token. This technique operates on the 
assumption that each time an individual gives a fingeiprint, the print is slightly different due 

30 to the flexibility of the finger skin, the angle at which the finger is pressed down, etc. 
Thus, it is exceedingly rare that any two finger imprints from a given user will be identical. 
Recognizing this, the method may require the following: (a) determining whether the 
source fingerprint data is identical to one or more instances of sample fingerprint data 
previously received; and (b) if the source and any one of the instances of the sample 

35 fingeiprint data are identical, preventing the call from being completed. 
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AuthciUicalion methods implemented on a source such as a wireless telephone {as_ 
opposed to the central authentication center as described above) may be characterized as 
including the following steps: (a) transmitting a dialed number to a switching center on tlic 
communication network; (b) receiving a user's fingerprint (possibly after a prompt); (c) 

5 generating source fingerprint data from the user's fingerprint; and (d) if the source 
fingerprint data matches stored fingeiprint data associated with user, completing the call. 
The source may itself determine whether the source fingerprint data matches the stored 
fingerprint data prior to completing the call. In the case of a wireless telephone, the method 
may also include traditional calling steps such as transmitting at least one of an MIN and an 

10 ESN to the switching center. 

In conjunction with the encryption technique described above for the central 
authentication node, the source may perform the following steps: (i) receiving an encrypted 
challenge from the switching center; (ii) decrypting the encrypted challenge with the source 
fingerprint data to produce a decrypted ciiallengc; and (iii) transmitting liic decrypted 
15 challenge to the switching center, such that if the decrypted challenge is found to match an 
unencrypted challenge, specifying that the source fingerprint data matches the stored 
fingeiprint data (allowing the call to proceed). 

A personal wireless communication device (e.g., a wireless telephone) suitable for 
use with the authentication methods of this invention may be characterized as including the 

20 following features: (a) a wireless communications interface for sending and receiving 
wireless communications; (b) a device for capturing the user's fingerprint; and (c) a 
processing device (e.g., u CPU) capable of converting the user's fingerprint to source 
fingeiprint data which can be transmitted. Preferably, the wireless device includes a casing 
and provided within that casing arc both the device for capturing the user's fingeiprint and 

25 the processing device. 

The wireless communications interface should be capable of sending the source 
fingerprint data to a remote location. Preferably, it should be capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency from a 
communications channel which sends and receives the wireless communications. 

30 In one embodiment, the device for capturing the user's fingerprint includes: (i) a 

fingerprint capture surface on which the user can place his or her finger to produce an 
optical image of his or her fingeiprint; (ii) an imager capable of generating an electronic 
image of the user's fingerprint (e.g., a CCD array or CMOS photodiode/photogate array) ; 
and (iii) optics for directing the optical image of the user's fingerprint from the finger print 

35 capture surface to the imager. In a preferred embodiment, the imager is a CMOS 
photodiode/photogate array which is provided on an integrated circuit together with the 
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processing device. In an allcrnativc embodiment, ihc device for capluring the uscr'ii 
fingerprint includes an. imager which does not require optics. Examples of such "optics- 
free" imagers include capacitor arrays or ultrasonic mechanisms formed on semiconductor 
substrates. 

5 The processini^ device should contain the logic and resources necessary for 

comparing ihc source I'ingerprint data with stored fingerprint data received from a remote 
location. Preferably, the processing device should also be capable of decrypting a 
challenge received from the remote location. 

As noted, the biomctric "challenge-response" authentication scheme of this 
10 invention preferably employs a central authentication platform serving several or all MSCs 
and wireless phones, hi this manner, the current invention seeks to prevent fraudulently 
placed wireless calls using stolen MIN-ESN information. 

Another aspect of the invention provides a central authentication system or node 
connected to a communications network and capable of rendering wireless communications 

15 secure by processing biomctric information from a user. Such central authentication 
systems may be characterized as including (a) a communications interface for sending and 
receiving data communications over the communications network; (b) a database interface 
for accessing a database containing stored fingerprint data associated with users of wireless 
communications devices; and (c) a processor capable of determining whether a wireless 

20 communication from a wireless communications device should be permitted based upon a 
match between a fingerprint taken from the wireless communications device and stored 
fingeiprint data associated the wireless communications device. 

Often die communications interface will be coupled to a public switched telephone 
network such that the data communications are directed to one or more mobile switching 

25 centers on the network. The database - which rnay fonn part of the central authentication 
system — preferably includes, for at least some of the wireless communications devices, a 
plurality of received tokens containing information from fingerprints taken at the wireless 
communications devices. The system then compares newly received tokens from a given 
wireless communication device with the plurality of tokens for that wireless 

30 communications device. 

These and other features and advantages of the present invention will be further 
described below with reference to the associated drawings. 
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Brief Oescrintion of the Drsnviniis 

Figure I is a block diagram of various components of ihc present invention as it may be 
employed in a cellular phone system. 

Figure 2 is a representation of a MlN-challcngc key database tabic used to store tokens 
5 from biometric information in accordance with one preferred embodiment of this invention. 

Figures 3A and 3B together present a process flow diagram depicting a sequence of 
events in a challenge-response authentication method of the present invention. 

Figure 4 is a block diagram depicting basic componcnls of a fingerprint capturing unit 
and an associated wireless teleplione in accordance with a preferred embodiment of the present 
10 invention. 

Figure 5 is a flow diagram depicting a fingerprint matching technique that may be 
employed with the present invention. 

Figure 6 is a block diagram of a central authentication system for processing biometric 
information from a mobile telephone in accordance with one embodiment of the present 
15 invention. 

Detailed Descrintion of the Preferred Embodiments 

The present invention is described herein in icrms of a wireless telephone system. 
The invention is not so limited. For all purposes of this current invention, the tcnn 
^*wirelcss telephone'^ (or "wireless communication system'^ gcnerically will be understood 
to include cellular phones, personal communication systems, telephones, personal digital 
assistants, wireless personal computers, wireless notebooks, etc. usmg analogue or digital 
electronics technology. While the present invention is cuirently envisioned as providing 
substantial benefit to wireless communications, there is in principle no reason why it could 
not be applied to communications generally. Any communication that could benefit from 
authentication may be implemented with the present invention. Such communications 
include those made over a wire-based telephone system and employing an account code. 

The communications allowed over the communication system will sometimes be 
referred to herem as "calls." Examples of communications (calls) within the context of this 
invention include (a) analog transmissions such as telephone calls transmiuing analog voice 
data over a wire medium or a wireless medium and (b) digital transmissions such as 
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packctizcd messages over a network (LAN, WAN, Inicrnct, etc.) and digital voice data 
over a wireless medium. Communications involving paeketized transmissions may be 
connection-based transmissions such as TCP or connectionless transmissions such as 
UDP. 

5 Fingerprint technology including hardware image capture, software image 

processing, soltware/hardware lor lingcrprint data storage and software tor iingerprint 
analysis/comparison is a relatively mature technology with over 20 years of development 
(sec, for example, U.S. Pat. Nos. 2 952 181. 4 151 512, 4 322 163, 4 537 484, 4 747 
147, 5 467 403, each of which is incorporated herein by reference for all purposes). It is 

iO well-known tliat no two individuals possess the same identical fingerprint and that accurate 
matching techniques in conjunction with well-captured images can positively identify an 
individual. The icrm 'M'ingcrpriiU" as used herein refers to handprints, pahnprints, and 
other unique skin patterns in addition lo traditional fingerprints. 

The present invention may employ sophisticated hardware and software to allow 
15 rapid fingerprint based identification as described in U.S. Provisional Application No. 
60/025,949, filed on September I 1, 1996, naming R. Rao, S. Subbiah, Y. Li & D. Chu as 
inventors, and previously incorporated by reference. That application describes an 
extremely small, low-cost fingerprint capture iiardware module that lends itself to ready 
insertion into many devices. The referenced Provisional Application was incorporated 
20 herein by reference for all purposes and is illustrative of the maturity of the fingerprint 
capture and comparison technology. 

FIG. 1 shows an apparatus that may be used to process a wireless call in 
accordance with the principles of the current invention. A fingerprint capturing device 
("FCPD") 101 (such as that described in U.S. Provisional Application No. 60/025,949, 

25 previously incorporated by reference) with an on-board CPU for processing and 
comparison of the captured fingeiprint image (sec FIG. 4) is connected to the wireless 
telephone 102. This connection may be by any method, i.e. via a telephone modem or a 
data port specifically built-in to the wireless telephone 102, an acoustic coupler, or the 
direct incorporation of the fingerprint module 101 into the wireless telephone 102. 

30 Preferably, the module 101 can be incorporated within telephone 102 such that a standard 
mobile telephone casing may house all electronics for operation of the telephone and 
fingerprint processing. hi an especially preferred embodiment, the electronics for 
processing both the fingerprints and the telephone calls arc provided on a single integrated 
circuit chip. This makes it especially difficult to tamper with the system by, for example, 

35 intercepting signals between fingeiprint capturing module 101 and telephone 102. 
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In one cnibodinicni of ihc invention which employs a protocol similar lo that o\\ 
conventional wireless systems, each phone is provided with a MLN and ESN. When the 
user dials a telephone number using a keypad 1 12 on the wireless telephone 102, the iVIIN, 
ESN, and the number of the party being called is transmitted to a Mobile Switching Center 

5 (MSC) 103 of a wireless carrier 104. In response, MSG 103 performs the standard 
verification of the MIN and ESN as well-known in the ait (see for example, In Wireless 
Communications, by T. S. Rappaport, 1996, Prcnticc-Mall which is incorporated herein by 
reference for ail purposes). If the MIN and ESN belong lo a special group of users who 
have previously rcqucsicd the additional layer of fingerprint based security with ihcir 

10 service, the MIN and ESN are sent to a Central Authentication System (CAS) 106 via a 
public switched telephone network (PSTN) or Internet 105 to avoid direct access of CAS 
106 through the air interface. This provides additional security for the CAS. 

In response lo llic MIN being forwarded by MSC 103, CAS 106 looks up lis built- 
in MIN-Challengc Key Database (MCIvD) 107 and retrieves an appropriate Challenge Key 

15 (CK 202, FIG. 2) lhat is associated with thai particular MIN. The CK 202 is a token ihai 
has been derived fron) the u.scr's fingerprint when tlic user first registered the purchase of 
his/her phone service. The CK 202 is then used to encn^pt a "challenge'' lhat is generated 
by the CAS 106. The challenge that is formulated by the CAS 106 is different each time 
when it is accessed by tlie same or different users. The CK 202 and the encrypted 

20 challenge are then jointly sent to wireless telephone 102 through any available forward 
voice channel (FVC) or forward control channel (FCC) for example. 

After reception ol' the challenge from CAS 106 by wireless telephone 102, the 
challenge is forwarded lo FCPD 101 as detailed in FIG. 4. The user's fingerprint 
information could have been requested by FCPD 101 cither before this point and after ihc 

25 user entered the number of the called party, or at this time point itself. A token, which in 
one embodiment could simply be an encoded collection of a set of unique minutiae/features 
found in the fingerprint, is then generated based on the fingerprint information captured 
locally by FCPD 101 . As well-known in the art of fingerprint matching, a fingerprint from 
any individual is unique lo lhat individual and therefore the variety of slightly different 

30 tokens (tokens can differ by a feature or two without any loss in uniqueness) lhat can be 
generated can only come from lhat individual. This is then compared with fingerprint- 
based token CK 202 lhat was received from CAS 106. If there is a match of the tokens, 
the encrypted message is decrypted by using token CK 202 received from CAS 106. In 
other embcdimenis, eitiier or both lokens could be used to decrypt the challenge. A 

35 response (the decrypted challenge) is then sent back to MSC 103 through any of the 
available reverse voice channels (RVCs) or reverse control channels (RCCs). This is then 
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forwarded via PSTN or iiUcrnci 105 (for additional security one may limit use of llic 
common air interface as much as possible) back to CAS 106. 

The response from FCPD 101 to CAS 106 contains both the decrypted message 
and a token that is generated from the fingerprint image the user supplied. If (I) the 

5 received decrypted message matches the expected response (i.e., the original unencrypted 
challenge that had been temporarily stored in CAS 106, as detailed in FIG. 6) and (2) the 
token received from the FCPD 101 matches the CK 202 in the MCKD 107, the call is 
authorized and connected. This double matching method will reduce false positives. It will 
also prevent any illegal attempt that relies only on a deci7ption of just the encoded 

10 challenge. 

It is important to note that tokens generated from the same finger vary every time 
the fingerprint is captured. In a preferred cmbodimcni, if the token sent from FCPD 101 
(via wireless tclcplionc i02) is idcnlical to that in the database (CK 202) the call will not be 
authorized, since it is extremely unlikely that the exact same token will be generated in 

15 subsequent image capture of the same finger. Presumably, such exact token matching will 
only happen if the token had been illegally captured and is being used for illegal access into 
the phone network. In this embodiment, the database may store up to a pre-speeified 
number of tokens sent by user from wireless telephone 102. If the most current token sent 
from the user is identical to any token from this list, the call is also blocked, since this may 

20 indicate the interception of a particular token sent from user to CAS 106 and used illegally. 
This is a major advantage of llie current invention since the token CK 202 used for 
encryption (in other words the secret key that is central to all 'challenge-response' 
authentication methods) can itself be broadcast over the common air interface or even made 
public. Thus the secret aspect of system described in the above-referenced Hodges and 

25 Rubenstein patent may be avoided in one einbodiment. To reiterate, by blocking exact 
matches between a newly generated token and a stored token (one embodiment of this 
invention), the illegal capture of the token CK 202 docs not enable third-parties to 
fraudulently initiate calls. This is a clear and substantial advantage over the prior art, and 
derives from the fact that personal biometric information is being used to generate secret 

30 keys. 

A further advantage is the token's resistance to corruption due to wireless noise. In 
one embodiment, a loss of a few features of the minutiae set from the token will still leave 
sufficient uncorruptcd features to allow unique matching against another token derived 
from the some finger. One could therefore expect a "fuzzy" (non-dctcrministic) set of 
35 minutiae, that will give unique matching. Another advantage of the current invention, 
derives from the fact that the CK 202 tokens can be made public with no ill effects. Thus if 
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ihc daiabasc MCKD 107 is stolen or altackcd by computer hackei-s and viruses, as long as a 
backup copy of the database MCKD 107 exists at a remote and secure mirror-site, there is 
no lasting negative consequence (so long as exact matches with prior stored tokens require 
that a call be blocked). 

5 FIG. 2 shows a typical structure for ihc MIN-Chailcngc Key Database 107 

("MCKD'') in accordance witii one embodiment of this invention. A CK 202 is stored in 
association with each MIN 201. Additional instructions or restrictions on the use of each 
MIN 201 can be stored in a special instmction section (SIS) 203. These may include, for 
example, blocks on long distance calls to certain localities, restrictions on calls over a 

10 certain dollar amount, etc. In addition, MCKD 107 includes a column 204 for storing 
recently received tokens from FCPD 101. Anytime that a received token exactly matches 
one of the tokens stored in column 204, the call may be blocked. 

The CK 202 is a token thai is generated from the fingerprint thai the user initially 
provided when registering with the phone company. This token contains information 
15 pertinent to the fingerprint minutiae information that has been embedded so as to ensure that 
if stolen it would not lead to a loss of the original fingeiprint itself. 

Since fingerprint images vary slightly from print to print, such tokens from the 
same finger at repeated times will be different. Also, depending upon the format of 
fingerprint minutiae in the tokens, two separately generated tokens of the same print will 

20 not from the outside appear similar - only when fingerprint matching algorithms for 
comparison aie applied to both tokens generated from different impressions of the same 
finger can both tokens be deemed to be from the same fingerprint. Thus simple possession 
of a token from a given fingerprint will not enable anyone to generate other different tokens 
corresponding to a different fingeiprini impression from the same finger. This renders the 

25 method very robust and tamper proof. 

Token matching first requires extraction of the fingei-print minutiae from the token. 
These arc then compared by matching their two-dimensional coordinates. If the 
coordinates match to within a defined tolerance, the tokens arc deemed a match. As 
explained below, tokens may be provided with a timestamp as an extra security measure. 

30 As known in the state of the art, many fingeiprint matching schemes involve the 

generation of inter-minutiac-based keys (i.e., distance vectors, etc.) that while being generally 
similar, will vary between multiple impressions of the same finger. Various inter-minutiae 
distance-vector-derived formats are known in the art. Many of these (as well as variations on 
them) may be suitable for generating keys in accordance with this invention. Such keys may, 

35 of course, also serve as tokens such as CK 202 in this invention. Suitable matching schemes 

n 
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are described in, for example, US Patent No. 4,747,147 issued to Sparrow on May 24, 1988, 
US Patent No. 5,493,621 issued to Matsumura on February 20, 1996, and information 
provided at the World Wide Web site www.Luccnt.Com/Prcss/0597/minu I .GAP. Each of 
these documents is incorporated herein by reference for all purposes. A typical description of a 
5 processed fingerprint is a list of x, y and angle tabulation of each minutia. Minor modification 
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underlying fingerprint, allowing for variation during multiple impressions (e.g., slight 
distortions and rolling during the pressing of the finger). Thus, using straightforward minutiae 
tabulations as tokens is susceptible to minor modification that could result in illegal phone 
10 access. 

A different and fiequcntly used description of fingciprint information is the inter- 
minutiae distance vector information. Such descriptions are inherently non-linear in nature and 
so when tabulations of these are randomly or systematically modified (i.e. without explicit 
knowledge of the inherent non-lincarily) in minor and linear ways, the new modified tabulation 
15 will not, in general, rcllcct the underlying original fingerprint, even when allov^^ing for 
variation between multiple impressions of the same fingerprint. 

Thus, use of such inter-minutiae distance- vector-derived keys (tokens) for matching 
purposes will foil wireless fraudsters who may somehow illegally capture the transmitted 
and encrypted fingciprint information and try to use the exact same keys to fraudulently 

20 activate phone calls. Tliat is, in general legal phone use, one expects the transmitted 
fingerprint keys to be somewhat different each time, and different in a way that makes 
sense with respect to the fingerprint. In illegal use, where the encrypted keys are captured, 
decrypted and rc-transmiucd. the repeated use of a set of exact same identical keys can be 
readily detected. Any minor niodificaiion of the keys, without specific prior knowledge o\ 

25 non-linear reiationsiiips in order to be true has to be compatible with the tme fingerprint and 
thus leading to the detection of such fraudulent use. 

The advantages of using a central authentication platform and a "challenge- 
response" authentication method are described in U.S. Patent No. 5,420,908 described 
above. However, the "challenge-response" authentication suggested in that patent differs 

30 significantly from the current invention in at least two ways: First, the patent suggests a 
shared secret key (S-key) between the wireless phone and the central authentication system. 
This necessarily requires a specialized memory chip that can store the S-key to be part oi' 
the wireless phone itself. Therefore, in the event that the wireless phone is lost or stolen, 
illegal calls can be made from the phone unless special instructions to block such newly 

35 illegal calls have been sent to the central authentication system. The current invention, in 
contrast, relics on information that is stored at the user's fingertips itself, and therefore 
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docs not require llic wireless plionc unit itself to store any secret key/information. 
Consequently, a stolen or lost phone cannot be used illegally. Second, the challenge- 
response method described in the '908 patent does not transmit the S-key itself over the air 
interface. The present invention may allow transmission of the "secret" key through the air 
5 interface; because the present challenge-response authentication scheme is not dependent on 
the "secret" key per sc. In a preferred embodiment, however, the key (CK 202) is kepi 
secret by some acceptable technique such as sending the challenge and response over 
variable channels unrelated to the voice transmission and/or providing additional encryption 
of the keys themselves. 

10 By using personal biometric information, like fingerprints, the present invention 

may overcome the major drawbacks of the generic "challenge-response" authentication 
schemes as typified by liie *908 patent method. 

FIGS. 3A and 3B present a flow chart of one typical sequence o\' events in a 
"challenge-response" authentication of this invention. The user begins the process at a step 

15 300 by dialing a telephone number using the keypad 112 of the wireless telephone 102. 
The MIN, ESN. and the phone number of the party being called are transmitted to MSG 
103 at a step 301. At a branch point 302, as in a conventional system, MSG 103 either 
confirms the legitimacy of the MIN-ESN pair and goes to a next step 303, or blocks the call 
at a step 315. At a branch point 303, the MSG determines if the user of the MIN requested 

20 additional security. If the result is NO, the call is connected just as routinely done in a 
conventional system at a step 316. If the result is YES, the MIN is sent to the GAS 106 at 
a step 304. 

In a step 305, GAS 106 accesses MGKD 107 and requests token GK 202 that is 
associated with the MIN. GAS 106 then generates a challenge that is different each time. 
25 This is then encrypted with the token 202 in a step 306. The GAS 106 sends token GK 
202 and the encrypted challenge to the wireless telephone via a step 307 using PSTN or 
Internet 105. Additional layers of security can be added to the encrypted challenge and GK 
202 if so desired. For example, the encrypted challenge can be sent to the mobile wireless 
phone over a different wireless forward channel. 

30 In a step 308, the user gives his/her fingerprint to the FGPD 101 and this is u.sed to 

generate token. In certain variations, step 308 can be performed at any point after step 301 
and tlic generated token stored in a memory 404 (FIG. 4). After the encrypted challenge 
has been sent to phone 102 and a token has been generated from the user's fingerprint, 
FGPD 101 compares the generated token with the token it received from the GAS 106 at a 

35 conditional branch point 309. If they do not match, the call is blocked at a step 315. In 
one embodiment, whenever a call is blocked the token sent by FGPD 101 of the caller's 
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fingciprint can be rorwardcd via MSG 103 through CAS 106 and specially stored for later- 
criminal investigation of fraudulent phone use (step 318). If they match, the token received 
from CAS 106, or in other embodiments both tokens (including the one generated at ilic 
phone), is used to decrypt the challenge sent from CAS 106 in a step 310 (begin FIG. 3B). 
5 The FCPD 101 then sends both the now-decrypted ciiallcnge and the locally generated 
token Cfrom the user's finmrnrim rMntnrorl nn pr'Pn ini\ u.,^u i/> r^Ac tn/z i -r 

^ -1 1 — - — ^ . , ^ wuw.v 'K^i n.^ 1 WW \.ty vViiy sj\ 

MSG 103 via a step 31 1. 

Generally, the invention's direct mapping of individuals personally to the phone 
calls they make also allov^s the mapping of callers v^ho attempt unsuccessful break-ins into 
10 the wireless phone system. Permanent records of the tokens generated from the 
fingerprints of callers attempting illegal entry can be kept, if desired, for further criminal 
investigation. More importantly, the mere idea of the potential of being caugiit when 
illegally using someone else's phone may greatly reduce phone fraud. 

After receiving the decrypted challenge from FCPD 101, CAS 106 compares it with 
15 the ciiallcnge stored in a CAS Icinporary memory 607 (FIG. 6) at a conditional branch 
point 312. If the match is not successful the result from step 312 is NO and ihe call is 
blocked at a step 3 1 5 and then step 3 1 8 may be permitted if so desired. If there is a match 
the result is YES and the process moves on to a conditional step 313. At this step, CAS 
1 06 compares the token generated from the user's fingeiprint captured and sent by FCPD 
20 101 to one or more stored in its database 107 at column 202. If these tokens do not match, 
the call is blocked, again at step 315 and step 318 is optionally performed. This second 
matching of the tokens (note that they were initially compared at step 309) is provided for 
additional security and may be dispensed with if desired. 

Next, at an optional decision step 320, CAS 106 compares the token received from 
25 FCPD 101 with one or more stored tokens which were previously received from FCPD 
101 and CK202. These previously received tokens are preferably those stored in column 
204 of database table 107. If it is found that the most recently received token exacdy 
matches one of the tokens stored in columns 202 and 204 of database 107, the call is 
blocked at step 315 (and step 318 is optionally performed). As noted above, tokens arc 
30 generally not identical if they capture a fingeiprint with sufficient resolution because each 
fingeiprint from a given individual will vary slightly (e.g., the minutiae may be slightly 
offset from one another). To ensure authentication in the case where a given individual 
actually docs give two identical legitimate tokens, the system may only block the call if two 
or more successive tokens exactly match one or more of the stored tokens. 

35 If tha tokens match at step 313 but not identically (optional step 320), the call is 

authenticated for connection at a step 3 1 4. Thereafter, at a step 3 1 6, the process returns to 
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the rouiinc prcscnl-day calling protocol lo complete the connection. If needed, allowance, 
for failed authentication due to severe token conuption from wireless noise etc., can be 
made by having the protocol automatically re-try the entire procedure ai step 304. The 
entire process exits at a step 317 and ends the illustrated flow-diagram. 

5 In a further prcrcrrcd embodiment, the format of the embedded fingerprint minuliac 

contains a timcslamp specifying the time at which the user's fingerprint was taken. The 
CAS would then deny access if the timestamp was not from an appropriate window in time 
(chosen to allow for a reasonable delay between transmission of the challenge and receipt 
of the newly generated fingerprint token). If a person should intercept the user's 

K) fingerprint token, not only would he/she have lo extract the fingerprint minutiae, but he/she 
would also have to properly update the timestamp in order defeat the system. In some 
embodiments, the CAS only checks for timestamp, rather than examining the newly 
received token for an exact match to some multiple previously received tokens. 

FIG. 4 is a diagram presenting one embodiment of the FCPD 101 and its 
15 interconnection witli ihc wireless telephone 102 (FIG. 1). The illustrated FCPD lO.I 
contains a fingerprint imager 417 for converting a fingeiprint from a finger 415 into an a 
fingerprint image. FCPD 101 also includes a CPU (central processing unit) 401 that can 
supply all the computational needs of the "challenge-response" authentication process, and 
more importantly all necessary processing of fingeiprint images and their subsequent 
20 comparison. An interface port 402 and a data bus line 403 are together capable of handling 
all the communications between various parts of FCPD 101 and wireless telephone 102. 
This includes all types of serial interfaces and voice ciiannels for transmitting and receiving 
data. A memory module 404 stores at least those items necessary to the operation of FCPD 
iOI including: 1) a software program 405 which contains program codes for fingerprint 
25 image processing, matching, decryption of the challenge, and the generation of responses; 
and 2) a response storage unit 406 which temporarily stores the response before sending il 
to the CAS 106. 

CPU 401 can be any suitable integrated circuit or electronic design including 
multichip modules and circuitry formed on printed circuit boards. If it is an integrated 
30 circuit, it may a general purpose microprocessor, a logic device such as an application 
specific integrated circuit (ASIC), etc. Examples of suitable ASICs include gate arrays, 
simple and complex programmable logic devices (PLDs), digital signal processors (DSPs), 
and field programmable gate arrays (FPGAs). 

In one embodiment, fingerprint imager 417 includes a fingerprint capture surface 
35 such as a window or capacitor array which produces an image of the user's fingerprint 
when the user places his or her finger thereon. In addition, imager 417 includes the optics 
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necessary direct an optical image of the fingerprint onto a solid state imager which also 
forms part of fingerprint imager. The solid stale imager, which is preferably a CCD array 
or a CMOS photodiode/photogale array, generates an electronic image of the user's 
fingerprint. If the solid slate imager is a CMOS photodiode/phologate array, it may be 

5 provided on single integrated circuit together with processing logic such as CPU 401. 
Further details of suitable optical fingerprint imagers are provided in U.S. Provisional 
Application No. 60/025,949, **Embcddable Module for Fingerprint Capture and Matching " 
filed on September lU 1996, and naming R. Rao, S. Subbiah, Y. Li & D. Chu as 
inventors. In an alternative embodiment, imager 417 may be a capacitor array formed on a 

10 semiconductor subslralc such as that described in the May 22, 1997 edition of the San 
Francisco Chronicle, "New Chip Verifies Fingerprints" which pertains to a product of 
Vcridicom Corporation. In another alternative embodiment, imager 417 may be an 
ultrasonic mechanism formed on semiconductor substrates. 

It is important lo note here an advantage over the "challenge-response" 
15 authentication meUiod presented in U.S. Pat. No. 5,420,908 (referred to as ihc Secret- 
Key). In the present invention, '*kcy'^ need not be persistently stored in the FCPD 101 
module. Therefore the wireless telephone cannot be used by any other user even when it is 
lost or stolen. 

In a preferred embodiment, telephone 102 is a conventional wireless telephone. It 
20 communicates with FCPD 101 over a connection line 407 which may be a parallel or serial 
connection. Telephone 102 may contain a key pad 411, all necessary telecommunication 
functions 4 1 3 (including a stored MIN and provisions for generating a dialed number from 
key pad inputs), data bus lines 412, and an interface port 410 for communicating with 
FCPD 101 (over connection line 407) and with wireless stations stich as an MSC. It is 
25 important to note lhat interface port 410 should be capable of interfacing not only voice 
communication signals (for standard mobile phone operation), but other communication for 
control between the CAS 106 and the FCPD 101 to complete the "challenge-response" 
authentication. In a preferred embodiment, interface port 410 is capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency from a 
30 communications channel which sends and receives. the wireless communications (e.g., 
voice data). 

Preferably, FCPD 101 is integrated directly within the casing of a conventional 
wireless telephone or other communication source. The only distinction being the presence 
of a fingerprint captiirc window on the side of the telephone and accessing imager 417. In 
35 an especially preferred embodiment, a single integrated circuit provides most of the 
functions of FCPD 101 and telephone 102. These functions include, for example, CPU 
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401, memory 404, and iclccom runctions 413. As functions from boLli FCPD 101 and. 
telephone 102 arc provided on the same ciiip, interface port 402 and connection line 407 arc 
not required. A modified version of interface port 410 having only the functionality 
necessary to communicate with other wireless stations (not FCPD 101) may be employed 
5 on the integrated circuit. This single chip embodiment has the advantage an extra layer of 
security as thieves will be unable to directly monitor signals crossing connection line 407. 

If fingerprint imager 417 is a CMOS imager, it may integrated with other 
components on the integrated circuit. If imager 417 is a CCD array, it typically will have to 
be provided on a separate chip. 

10 Suitable design parameters of FCPD 101 can be specified based upon the general 

requirements of fingerprint analysis and matching algorithms. A typical human fingerprint 
has an aspect ratio of about three to two; that is, it is one-half times as long as it is wide. 
The average fingerprint has about 50 ridgclincs separated by intervening valley lines ihal 
are about equally as thick. Generally the lines run from left to right and as they do they 

15 first traverse upwards and later downwards. Given this amount of information, the Federal 
Bureau of Investigation has suggested that fingerprint detection systems should provide an 
array of 512x512 pixels since it allows for at least four pixels per ridgelinc and four per 
valley line. Preferably, though not necessarily, the imager employed in the FCPD 101 
contains an array of at least 512x512 pixels. Using sophisticated fingeiprint imaging 

20 algorithms such as those described in the abovc-rcfcreneed US Provisional Application 
607/025,949, significantly smaller arrays can be employed. In one embodiment, the array 
may include 240x160 pixels or, in anther embodiment, 120x160 pixels. The use of such 
small arrays has the advantage of requiring (1) less processing resources from CPU 401 
and (2) less space from memory 404 during processing of a large array of fingerprint data. 

25 Accurate fingerprint matching technology, which is well-known in the art (sec, for 

example, U.S. Pat. No. 2 952 181.4 151 512, 4-322 163, 4 537 484, 4 747 147, 5 467 
403 which were previously incorporated by reference), has for over a hundred years relied 
on the extraction and subsequent comparison of specialized features called minutiae. 
Minutiae arc essentially of two equally frequent types - either the abmpt ending of a line in 

30 the middle of the fingerprint or the fusion of two lines to create a Y-shaped junction. 
Typically there are about 60 or 70 such features in a fingerprint and it is the relative location 
of these from each other that creates a unique spatial pattern that statistically no other human 
can possess. 

Suitable methods of fingerprint matching may involve software processing steps as 
35 illustrated in FIG. 5. After capturing the fingerprint image (step 501), a contrasting 
algorithm (step 503) reduces all the gray shades of a captured image 502 to either black (for 
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ridgclincs) or wliilc (for valley lines) as shown in image 504. Tradilionally these 
algorithms arc omni-dircciional. Basically, the particular shade of gray at each pixel is 
compared wiili lliose of the neighboring pixels in all directions and if judged to be relatively 
darker than most of its neighbors it is deemed to be black, otherwise white. After this 
5 contrasting step, the contrasted image 504 is further processed by a thinning algorithm 

^n^\ TK*-. /-vU;/^/*! Iir>i-r» i.^ .-r^f^li*^^ (U«« Ul..r^l. r u«: r_ ^» 

^^..w|« ^w^/. A i.w ^«^j^s- 1. ..wt-w ..» •^««.*Mww AVio \jn.K^c\ II will Lie^iii^ Ajii civ^icii^u jAjtii |>IACI:V 

thick to only one pixel thick, thereby increasing the number of while pixels substantially. 
A thinned image 506 is llien examined by further algorithms (step 507) that attempt to 
deduce and accurately extract ihc minutiae and their locations as shown in a map 508. The 
10 process is then completed at 509. All further fingerprint matching/comparison often relies 
primarily on these 60 or 70 extracted pieces of information. 

Central authentication system (CAS) 106 is preferably, though not necessarily, 
provided as a server or other node connected to one or more MSCs over a public switched 
telephone network. CAS 106 may also have wireless connection to an MSC or may even 
15 form a part of the MSC. Generally, CAS 106 must be able to generate and compare 
challenges, access a database of fingerprint based tokens, and communicate with a plurality 
of wireless sources (e.g., mobile cellular telephones) via the one or more MSCs. 

FIG. 6 is a diagram of CAS 106 in accordance with one embodiment of this 
invention. The design is superficially similar to the FCPD 101 (and the design presented in 

20 U.S. Pat. No. 5,420,908). Connected to CAS 106 arc PSTN 105 and MCKD 107. CAS 
106 must be able to handle, simultaneously, many calls from many wireless carriers. It 
includes a mcmoiy 605 including a persistently stored program 606 and various 
temporarily stored items including a challenge 607, a response token 60S, and a decrypted 
message 609. Program 606 contains the instructions for generating a challenge, encrypting 

25 the challenge with a fingciprint based token, validating a decrypted challenge (e.g., by 
comparison with the generated challenge), fingerprint matciiing based on tokens, and, in 
some embodiments, comparing a response token with one or more stored tokens and 
further assuring that tokens are not identical as that would imply illegal use. Response 
token 608 is a memory entity containing the token sent back from the FCPD 101 in the 

30 wireless telephone 102 before token matching is conducted. When a new token is provided 
from FCPD, stored token is updated. 

In addition, CAS 106 includes a CPU 602 for controlling the execution of a 
program 606, accessing memory 605, communicating with the MSCs over the PSTN. 
Communication over the PSTN is provided through a data interface 601 in CAS 106 which 
35 is connected to the PSTN over a line 105, In addition, CAS 106 communicates with 
MCKD database 107 througii a database interface 603 as shown. CPU 602, memory 605, 
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database interface 603, and data interface 601 are communicate with one another over a data 
bus 604. 

In a preferred embodiment, the initial registration of the phone-owner's fingerprint 
at the CAS 106 to create the appropriate entry into the MCI<X) 107 need not require the user 
5 to visit the central phone service provider. When the phone-owner purchases or rents the 
wireless piione at any local phone store he or she can use the FCPD 101 on tlic newly 
purchased wireless telephone 102 itself to activate registry at the CAS 106 via the common 
air interface and MSC 103. The phone's ESN and MIN can be sent along with the owner's 
fingeiprint and placed in the CAS database for future use. 

m In yet another embodiment of the present invention, multiple users can be permitted 

to use the same wireless phone. All thai is required is that the MCI<X) 107 at the CAS 106 
be allowed lo contain multiple CKs 202, one generated from each user of the same phone. 
Such authorization can in principle be activated/initiated by the phone owner serving as a 
master user who can at any lime rccmil additional users to be able to use their phone. By 

15 activating appropriate buttons on tiic phone, iho master user can in principle activate the 
phone and the CAS 106 to receive a newly recruited user's fingerprint for association with 
the master user's entry in the MCICD 107. The master user can remotely authorize this 
action by simply validating it with his/her fingeiprint. Again by engaging a pre-defined 
sequence ol" buttons on the phone the master user could also in principle remove previously 

20 authorized co-users. 

In a further embodiment of the present invention, the phone owner could u.se more 
than one fingerprint as a means to authenticate his/her identity. The MClCD 107 can be 
arranged to contain information regarding more than one fingerprint of the owner. In fact, 
if additional password-like security beyond fingerprint security is desired, the owner can 
25 provide multiple fingerprints from different fingers in a particular secret order. This can 
serve as a "password" known only to the owner. 

In one use of the current invention, the traditional MINs and ESNs associated wiih 
wireless phones are no longer required. The wireless telephone 102 will have an integrated 
FCPD 101. When a user dials a number, the number of the party being called and the 

30 token generated from the fingerprint of the user on the FCPD 101 will be sent to the MSC 
103 and then forwarded to the CAS 106 for authentication based only on the fingerprint 
token of the user for billing and authorization purposes. Because each fingerprint token 
generated from the same finger will be different, a token intercepted from the common air 
interface can not easily be used for fraudulent use of wireless telephones. If a particular 

35 token generated from a fingerprint is captured illegally from the air interface and 
subsequently used repeatedly to authorize illegal calls, this can be detected very easily by 

19 



BNSDOCID: <WO 9811750A3JB> 



wo 98/11750 



PCT/US97/16094 



the CAS 106 since it would in normal circumstances expect somewhat different and varied, 
tokens being generated from tlie same fingerprint. Because such variations in the generated 
token are intrinsic to the way fingeiprint information is distributed on the finger itself, these 
variations cannot be gleaned from illegally capturing one token common from the common 

5 air interface. That is, tokens generated from the same fingerprint at different impressions 
Gn lhc FCPD 101 will vary .so lh.i»l nicrr ly having iilcgnily c.ipuircd one of these variations 
will not enable the generation of varied tokens liuU are still meaningfully related to llic 
original fingerprint. The only thing that can be done is to use the exact same illegally 
captured token to make illegal calls, but that can be easily detected. Thus it is possible that 

10 the systems of this invention can allow any user to use any wireless telephone to place 
calls. 

In another use of the current invention, the identity of the user can be authenticated 
for the purpose of identifying the callers personal identity rather than merely the phone 
number from the caller initiated the call - i.e. the source terminal-ID. In one embodiment of 
15 the present invention, at step 319 (FIG. 3). the caller's personal identity as determined by 
the CAS 106 can be made available to the call control entity or the recipient of the call. 
Based on the prior knowledge of who the caller is (and not just merely what phone number 
the caller is calling from) the call recipient may elect to block the call even after it has been 
authenticated as being non-fraudulent at step 3 14. 

The current invention also provides a method for the identification of the caller 
(caller ID) originating the phone call. In recent years, caller ID technology (where the 
phone number of the caller's phone is automatically revealed to the call control entity or the 
recipient of the phone call in a manner that allows the recipient to screen his or her calls) 
has become increasingly commonplace, hi effect, caller-ID as practiced today is really 
terminal-ID (the ID of the caller's phone) and not really the personal identity of the caller. 
With the present invention, wireless and traditional wired phones that have the built-in 
capacity to capture/compare fingerprint information and communicate with an MSG for 
authorization can allow the caller to be personally identified (rather than simply the caller's 
phone number ) to the call control endty or the recipient for call screening or other 
authentication purposes. Indeed, both the caller-ID and the terminal-ID can be jointly 
authenticated Tor an even higher level of security in phone networks. 

As mentioned, the technology described herein may be employed in contexts other 
than cellular telephone systems. For example, the invention may be employed to ensure 
secure access to a vehicle with a wireless security system. Many automobiles now employ 
35 wireless systems to allow remote control of door locking, automotive alann systems, 
lighting, etc. within the automobile. When the owner approaches his or her car, he or she 
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can unlock llic car doors or acLivatc/inaciivatc oilier car systems before actually reaching the. 
car. This is accomplished with the click of a button on a wireless control module. 
Unfortunately, if such a module falls into the hands of a thief (or if the wireless signal is 
illegally captured through the air and decoded), he may be able to circumvent the car's 
5 security mcchanism(s) and obtain control of the car. The present invention provides a 
mechanism to protect again.sl this possibility. 

Wireless car security systems of this invention may employ a wireless control 
module (source) containing the logic necessary for capturing and transmitting a token based 
upon a user's fingerprint. The logic may be contained within a module as described above 
!0 with reference to FCPD 101. Generally, the vehicle itself may provide most of the 
functionality described above with reference to CAS 106. Of course, it need not provide 
access to a PSTN or database 107. However, it should include a finger print token of the 
car operator and possibly multiple recently received tokens so that access may be blocked if 
the token exactly matches a received token. 

15 The vehicle protection mechanism of this invention may operate as follows. First, 

the system on board the vehicle determines that a request for access to the vehicle has been 
initiated from a wireless source. Next, the vehicle system determines whether the source 
fingeiprint data provided at the wireless source matches stored fingeq^rint data provided for 
the vehicle. Access to the vehicle is then permitted (e.g., car doors are unlocked) if the 

20 source fingerprint data matches the stored fingerprint data. In some embodiments, the 
wireless source may prompt its user for a fingerprint from which to generate the source 
fingerprint data. 

In especially preferred embodiments, a full challenge-response protocol as 
described above with reference to Figures 3A and 3B is employed. This may involve 

25 generating an encrypted challenge from a challenge and a token based on the fingerprint 
data stored with the automobile. Then, the encrypted challenge and the stored fingerprint 
token are sent to the source where the stored and source fingerprints arc compared. If they 
match, one of the fingerprints is used to decrypt the encrypted challenged. The now 
decrypted challenge and the source fingerprint data are then sent back to the automobile 

30 where the decrypted challenge is confinned and the source and stored fingeiprints are again 
compared. If all tests are passed, access to the automobile is permitted. 

While the present invention has been described in terms of a preferred eml^odiment 
and ccitain variations thereof, liic scope should not be limited to the specifics presented 
above. For example, while the system of this invention has been described as including a 
35 central authentication system separated from a mobile switching center by a public switched 
telephone network, the invention may be implemented by providing the central 
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auihcniicalion system wiihin the mobile switching center. In this case, it may be necessary 
to provide a mechanism for regularly updating the authentication system at each mobile 
switching center. Further, the invention may be advantageously employed in systems that 
do not employ a secret key. Importandy, the invention may rely on biometric information 
5 other than fingerprints. Examples of such alternative biometric information include, but aie 
not limited to, a lSsCi *> voice, pciscna! irifcrmalioii, pliotcgiap!*, iiand shape, and rctma. 

Many similar variations on the above-described preferred embodiment, may be 
employed. Therefore, the invention should be broadly interpreted with reference to the 
following claims. 

10 
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CLAIMS 

what /.V clatnuul is: 

1 . A nictliod for authenticating a call to be made over a communication system, 
5 llic method comprising: 

(a) determining linil the call has been initiated from a source; 
(h) determining whether source fingerprint data provided from said source 
matches stored fingerprint data associated with said source; and 

(c) if said source fingerprint data matches said stored fingerprint data, 
10 allowing said call to be completed. 

2. The method of claim 1, wherein the communication system forms ai least 
part of a wireless telephone network. 

15 3. The nicthod of claim 2, wherein the call initiated from the source may be 

forwarded through any of a plurality of mobile switching centers, 

4. The method of claim 2, wherein said source is a mobile cellular telephone. 

20 5. The method of claim 4, wherein determining that a call is being initiated 

includes detecting transmission of at least one of a mobile identification number (MIN) and 
an electronic serial number (ESN) associated with the mobile cellular telephone. 

6. The method of claim 5 further comprising confirming that said at least one 
25 of the MIN and the ESN is valid. 

7. The method of claim I further comprising: 

requesting that said source fingerprint data be provided from the source of 

said call. 

30 

8. The method of claim 1, wherein said fingerprint data is provided in an inter- 
minutiae distancc-vector-derived format. 

9. The method of claim I , further comprising: 

35 encrypting a challenge with the stored fingerprint data to produce an 

encrypted challenge; and 

providing the encrypted challenge to the source for the purpose of 
decrypting by the source with the source fingerprint data. 
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10. The method of claim 9, wherein the step of determining whether the source 
and stored fingerprint data match comprises: 

receiving a decrypted challenge from said source, which decrypted 
5 challenge has been decrypted with the source fingerprint data; and 

comparing the ciiallenge with the decrypted challenge from the source. 

i K The method of claim 1, further comprising: 

determining wiicihcr the source fingei-print data is identical to one or more 
10 instances of sample fingerprint data previously received; and 

if the source and any one of the instances of the sample fingerprint data are 
identical, preventing the call from being completed. 

12. The method of claim 1, where the fingeiprint data is provided in a 
15 limestamp. 

13. A method for accessing a vehicle with a wireless security system, the 
method comprising: 

(a) determining that a request for access to the vehicle has been initialed 
from a wireless source; 

(b) determining whether source fingerprint data provided at said wireless 
source matches stored fingerprint data provided for the vehicle; and 

(c) if said source fingerprint data matches said stored fingeiprint data, 
allowing access to the vehicle. 

14. The method of claim 13, further comprising prompting a user of said 
wireless source for a fingerprint from which to generate the source fingerprint data. 

15. The method of claim 13, wherein the stored fingeiprint data is stored in the 
30 vehicle. 

16. The method of claim 13, wherein the vehicle is a car and allowing access to 
the car comprises unlocking the car. 

35 1 7. A method for authenticating a call to be made over a communication system, 

the method comprising: 

(a) transmitting a dialed number to a switching center on said 
communication network; 
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(b) receiving a user's ringcrprini: 

(c) generating source fingerprint data from said user's fingeiprint; and 

(d) if the source fingeiprint data matches stored fingerprint data associated 
with user, completing the call. 

5 

18. The mcihod of claim 17, wherein the communication system forms at least a 
part of a wireless telephone network. 

19. The mcihod oi' claiiii 1 S, wherein (a) through (d) are performed by a mobile 
10 cellular telephone. 

20. The method of claim 17, further comprising: 

transmitting at least one of a MIN and an ESN to said switching center. 

15 21. The method of claim 17, further comprising: 

prompting the user to provide a fingerprint. 

22- The method of claim 17, wherein generating source fingerprint data 
provides the source fingerprint data in a format comprising inter-minutiae distance-vector- 
20 derived information. 

23. The method of claim 17, further comprising: 

determining whether the source fingerprint data matches the stored 
fingerprint data prior to completing the call, 

25 

24. The method of claim 23, wherein the stored fingerprint data is provided 
from a database on a public switched telephone network. 

25. The method of claim 17, further comprising: 

30 receiving an encrypted challenge from the switching center; 

decrypting ihc encrypted challenge with the source fingerprint data to 
produce a decrypted challenge; and 

transmitting said decrypted challenge to the switching center, such that if the 
decrypted challenge is found to match an unencrypted challenge, specifying that the source 
35 . fingeiprint data matches the stored fingerprint data. 

26. The method of claim 17, wherein generating source fingeiprint data 
provides the source fingeiprint data in a format comprising a limestamp. 
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27. A wireless communication device capable of rendering wireless 
communications secure by requiring biomciric information from a user, the device 
comprising: 

5 (a) a wireless communications interface for sending and receiving wireless 

communications; 

(b) a device for capturing the user's fingerprint; and 

(c) a processing device capable of converting the user's fingerprint lo 
source fingerprint data wiiich can be transmitted. 

0 

2S. The device of claim 27, wherein the device is a wireless telephone. 



29. The device of claim 28, wherein the wireless telephone includes a casing 
and provided within said casing are the device for capturing the user's fingerprint and the 

15 processing device. 

30. The device of claim 27, wherein the wireless communications interface is 
capable of sending the source fingerprint data to a remote location. 

20 31. The device of claim 30, wherein the wireless communications interface is 

capable of sending and receiving fingerprint data over a data channel which operates at a 
different frequency from a communications channel which sends and receives the wireless 
communications. 



25 32. The device of claim 27, wherein the device for capturing the u.ser's 

fingeiprint includes: 

a fingerprint capture surface on which the user can place his or her finger to 
produce an optical image of the user's fingerprint; . 

an imager capable of generating an electronic image of the user\s fingerprint; 

30 and 

optics for directing the optical image of the user's fingerprint from the finger 
print capture surface to the imager. 

33. The device of claim 32, wherein the imager is selected from the group 
35 consisting of CCD arrays and CMOS photodiode/photogatc arrays. 

34. The device of claim 33, wherein the imager is a CMOS 
photodiodc/photogate array which is provided on an integrated circuit together with the 
processing device. 
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35. The device of claim 27, wherein the device for capturing the user's 
fingerprint is a capacitor array formed on a semiconductor substrate or an ultrasonic 
mechanism formed on a semiconductor substrate. 

5 

36. The device of claim 27, wherein the processing device is a CPU. 

37. The device of claim 27, wherein the processing device is capable of 
comparing the source fingerprint data with stored fingciprint dala received from a remote 

10 location, whereby when the source and stored fingerprint data arc found to match, the 
device allows a communication to proceed. 

38. The device of claim 37, wherein the processing device is capable of 
decrypting a challenge received from said remote location. 

15 

39. A central authentication system connected to a communications network and 
capable of rendering wireless communications secure by processing biometric information 
from a user, the device comprising: 

(a) a commuiiicalions interface for sending and receiving dala 
20 communications over said communications network; 

(b) a database interface for accessing a database containing stored 
fingerprint data associated with users of wireless communications devices; and 

(c) a processor capable of delcmiining whether a wireless communication 
from a wireless communications device should be permitted based upon a match between a 

25 fingerprint taken from said wireless communications device and stored fingerprint data 
associated the wireless communications device. 

40. The central authentication system of claim 39, wherein the communications 
interface is coupled to a public switched telephone network. 

30 

41. The central authentication system of claim 40, wherein the data 
communications arc directed to one or more mobile switching centers. 

42. The central authentication system of claim 39, wherein the database 
35 includes, for at least one of said wireless communications devices, a plurality of received 

tokens containing information from fingerprints taken at said wireless communications 
device. 
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43. The cciural authcniicaiion system of claim 42, wherein the processor is 
capable of comparing a ncwiy received token from a given wireless communication device 
with said plurality of tokens for said given wireless communications device. 



5 44. The central authentication system of claim 39, wherein the processor is 

capable of generating an encrypted challenge by encrypting a challenge with a token 
containing said stored fingerprint data. 

45. The central authentication system of claim 39, further comprising a memory 
10 which persistently stores a program allowing the processor to determine whether wireless 

communications from the wireless communications devices should be permitted. 

46. The central authentication system of claim 45, wherein the memory can 
store a challenge and a decrypted challenge so that the processor can determine whether the 

15 challenge and the decrypted challenge match. 
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